Certified in Risk and Information Systems Control CRISC (CRISC) — Questions 901975

982 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
Multi-Selecteasy

An IT risk manager is categorizing risks identified during a recent assessment. Which TWO categories would include the risk of a system outage caused by a software bug?

Select 2 answers
A.Operational risk
B.Compliance risk
C.Strategic risk
D.Financial risk
E.Reputational risk
AnswersA, D

System outages are operational failures.

Why this answer

A system outage due to a software bug is an operational risk (failure in IT operations) and can also be considered a financial risk if it leads to revenue loss or penalties.

902
MCQmedium

An organization is implementing a new cloud-based customer relationship management (CRM) system. Which of the following risk categories would BEST describe the risk of the CRM system failing to meet performance expectations?

A.Compliance risk
B.Strategic risk
C.Operational risk
D.Reputational risk
AnswerC

System performance failure is an operational risk.

Why this answer

Operational risk includes failures in internal processes, people, systems, or external events. Performance failure of a new system is an operational risk.

903
MCQmedium

A company's risk monitoring report shows that a key risk indicator (KRI) has exceeded the threshold for three consecutive months. What is the MOST appropriate action?

A.Conduct a root cause analysis and implement corrective actions.
B.Wait for the KRI to return to normal on its own.
C.Raise the threshold to avoid future breaches.
D.Implement temporary manual controls.
AnswerA

Addresses the cause of the KRI breach.

Why this answer

A KRI that has exceeded its threshold for three consecutive months indicates a persistent risk condition, not a transient anomaly. The most appropriate action is to conduct a root cause analysis to identify the underlying issue and implement corrective actions to bring the risk back within acceptable levels. This aligns with the CRISC domain of Risk and Control Monitoring and Reporting, which emphasizes proactive remediation over passive observation or threshold manipulation.

Exam trap

The trap here is that candidates may confuse a persistent KRI breach with a temporary spike and choose to wait (Option B) or adjust the threshold (Option C), failing to recognize that the CRISC framework mandates investigation and corrective action for sustained deviations.

How to eliminate wrong answers

Option B is wrong because waiting for the KRI to return to normal on its own ignores the persistent nature of the breach and assumes a self-correcting mechanism, which is not a valid risk management strategy. Option C is wrong because raising the threshold to avoid future breaches is a form of risk acceptance without justification and undermines the integrity of the KRI as an early warning indicator. Option D is wrong because implementing temporary manual controls without first understanding the root cause may address symptoms but not the underlying risk, and manual controls often introduce operational inefficiencies and are not sustainable.

904
MCQmedium

Refer to the exhibit. What risk is most directly indicated by this log entry?

A.External attack
B.Misconfigured firewall
C.Unauthorized access attempt
D.Insider threat
AnswerC

An internal device attempting RDP to another internal device without apparent authorization indicates a potential unauthorized access attempt.

Why this answer

The log entry shows a repeated 'Failed password' event for user 'root' from IP 10.10.10.10 via SSH. This directly indicates an unauthorized access attempt, as someone is trying to authenticate with incorrect credentials. The source IP is external to the trusted network, and the failure count suggests a brute-force or password guessing attack.

Exam trap

The trap here is that candidates see an external IP and immediately think 'external attack' (Option A), but the question asks for the risk 'most directly indicated' — which is the specific unauthorized access attempt, not the general category of attack.

How to eliminate wrong answers

Option A is wrong because while the source IP is external, the log does not show any exploit, malware, or successful breach — it only shows failed authentication attempts, so 'external attack' is too broad and not directly indicated. Option B is wrong because a misconfigured firewall would typically permit or deny traffic incorrectly (e.g., allowing inbound SSH when it should be blocked), but the log shows the firewall is correctly allowing SSH and the authentication is failing, not a firewall rule issue. Option D is wrong because an insider threat would originate from an internal IP or authenticated user abusing privileges; the source IP 10.10.10.10 is external and the user 'root' is not yet authenticated, so this is not an insider action.

905
MCQmedium

During a merger and acquisition (M&A) due diligence, the acquiring company's IT risk manager is tasked with identifying risks in the target's IT environment. Which of the following would be the MOST effective technique to uncover hidden risks?

A.Analyze the target's existing risk register
B.Perform an on-site technical assessment and interview key IT staff
C.Review the target's IT policies and procedures
D.Conduct a network vulnerability scan
AnswerB

Direct assessment uncovers undocumented controls and cultural issues.

Why this answer

Option D is correct because an on-site technical assessment and interviews allow the risk manager to observe actual controls, uncover undocumented systems, and assess security culture. Option A is incorrect because reviewing only high-level policies may miss operational gaps. Option B is incorrect because a vulnerability scan does not cover process or governance risks.

Option C is incorrect because the target's own risk register may be incomplete or biased.

906
Multi-Selectmedium

A company is evaluating its control monitoring program. Which TWO of the following are key elements of an effective control monitoring framework? (Choose two.)

Select 2 answers
A.Integration with performance management.
B.Periodic review of KRI thresholds.
C.Use of statistical sampling for all tests.
D.Automated alerts for all control failures.
E.Clearly defined roles and responsibilities.
AnswersB, E

Thresholds must be reviewed to remain aligned with risk appetite.

Why this answer

Periodic review of KRI thresholds is a key element because KRIs must remain aligned with the evolving risk landscape; thresholds that are not reviewed can become obsolete, leading to false positives or missed risk indicators. Clearly defined roles and responsibilities ensure accountability for control execution, monitoring, and escalation, which is foundational to any effective control monitoring framework.

Exam trap

The trap here is that candidates confuse operational efficiency elements (like performance management or full automation) with the foundational governance and risk-alignment components that ISACA emphasizes for effective control monitoring.

907
Matchingmedium

Match each information security objective to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data is accessible only to authorized parties

Data is accurate and complete

Data is accessible when needed

Actions can be traced to individuals

Why these pairings

The CIA triad plus accountability are core security principles.

908
Multi-Selectmedium

Which TWO of the following are examples of risk transfer? (Select TWO.)

Select 2 answers
A.Outsourcing IT operations to a third party
B.Implementing encryption
C.Accepting residual risk
D.Buying cyber insurance
E.Conducting security training
AnswersA, D

Outsourcing transfers the risk of IT operations to the vendor.

Why this answer

Option A is correct because outsourcing IT operations to a third party transfers the operational risk and associated liabilities to the external provider via a contractual agreement. The third party assumes responsibility for managing and securing the IT infrastructure, shifting the financial and reputational impact of failures or breaches away from the organization. This is a classic risk transfer mechanism, distinct from risk mitigation or acceptance.

Exam trap

Cisco often tests the distinction between risk transfer and risk mitigation, trapping candidates who confuse controls like encryption or training with transfer mechanisms, when in fact only insurance and outsourcing (with liability transfer) qualify as true risk transfer.

909
MCQhard

A healthcare organization is migrating its electronic health records (EHR) system to a cloud provider. The risk assessment shows that the cloud provider has strong security certifications (e.g., SOC 2 Type II, ISO 27001). However, the organization's legal team is concerned about data sovereignty laws that require patient data to remain within the country. The cloud provider's data centers are located in three regions: one in-country, and two outside. The project manager proposes using only the in-country data center. The IT director warns that this will increase latency and reduce redundancy. The risk manager must propose a response. Which is the BEST option?

A.Accept the legal risk because the cloud provider's certifications are sufficient, and document the decision.
B.Use all three data centers with automatic failover, and rely on the cloud provider's contractual guarantees of data residency.
C.Configure the EHR system to store primary data in the in-country data center, and use the other two centers for disaster recovery with data residency controls ensuring data does not leave the country unless encrypted and with legal approval.
D.Use only the in-country data center and accept the increased availability risk.
AnswerC

This balances compliance, availability, and redundancy.

Why this answer

Option C is correct because it provides a balanced approach: use the in-country data center for primary storage to comply with data sovereignty, but use the other data centers for disaster recovery with data residency controls. Option A is wrong because using only one data center increases availability risk. Option B is wrong because direct cloud replication to outside centers violates data sovereignty.

Option D is wrong because accepting the legal risk is unacceptable given the regulatory environment.

910
MCQhard

A company is implementing a new access control system. During the project, the IT team updates the system configuration without notifying the risk team. This leads to a temporary misconfiguration that exposes sensitive data. Which process should have been followed to prevent this issue?

A.Control design approval
B.Continuous monitoring
C.Change management process
D.Vendor risk assessment
AnswerC

Change management would have required notification and review before the update.

Why this answer

Change management ensures that modifications to systems are authorized, reviewed, and communicated to relevant stakeholders to avoid unintended consequences.

911
Multi-Selecthard

Which THREE of the following are commonly used techniques for identifying IT risks in a large enterprise?

Select 3 answers
A.Cost-benefit analysis
B.Brainstorming sessions
C.Delphi technique
D.Risk questionnaires
E.SWOT analysis
AnswersB, D, E

Brainstorming is a common risk identification technique.

Why this answer

Brainstorming sessions are a common technique for IT risk identification because they leverage the collective expertise of stakeholders to surface potential threats, vulnerabilities, and scenarios in a structured yet creative environment. This approach is particularly effective in large enterprises where diverse perspectives can uncover risks that might be missed by individual analysis, such as emerging cyber threats or complex interdependencies in cloud architectures.

Exam trap

The trap here is that candidates confuse risk identification techniques with risk analysis or evaluation methods, mistakenly selecting cost-benefit analysis (Option A) because it involves risk-related calculations, when in fact it is not used to identify risks but to assess them after identification.

912
MCQmedium

A risk manager is evaluating the effectiveness of a set of key risk indicators (KRIs). Which TWO of the following are characteristics of effective KRIs?

A.They are complex and difficult to measure
B.They are quantifiable and based on reliable data
C.They are lagging indicators that reflect past events
D.They are leading indicators that provide early warning of potential risk events
E.They focus on a very narrow aspect of risk
AnswerB, D

Quantifiable KRIs with reliable data ensure objective monitoring.

Why this answer

Effective KRIs must be quantifiable and based on reliable data to ensure objective, repeatable measurement of risk exposure. Without reliable data, the KRI cannot be trusted to trigger appropriate risk responses or support decision-making in risk monitoring.

Exam trap

Cisco often tests the distinction between leading and lagging indicators, and the trap here is that candidates mistakenly think lagging indicators are effective for early warning, when in fact KRIs must be leading to proactively manage risk.

How to eliminate wrong answers

Option A is wrong because effective KRIs should be simple and easy to measure, not complex and difficult; complexity undermines timely monitoring and increases measurement error. Option C is wrong because effective KRIs are primarily leading indicators that provide early warning, not lagging indicators that only confirm past events. Option E is wrong because effective KRIs should cover a broad enough scope to reflect material risk changes, not focus on a very narrow aspect that may miss systemic risk shifts.

913
MCQeasy

Based on the exhibit, which key risk indicator (KRI) would this log data be MOST useful for calculating?

A.Number of failed authentication attempts per hour.
B.Percentage of successful user logins.
C.Percentage of system uptime.
D.Number of unauthorized changes to system configurations.
AnswerA

Directly derived from failed login events.

Why this answer

The log data shows repeated failed login attempts from multiple IP addresses targeting user accounts, which directly measures authentication failures over time. This makes it the most suitable source for calculating the number of failed authentication attempts per hour, a key risk indicator for brute-force or credential-stuffing attacks.

Exam trap

The trap here is that candidates may confuse authentication failure logs with broader security metrics like system uptime or configuration changes, failing to recognize that KRIs must be directly derivable from the specific log data provided.

How to eliminate wrong answers

Option B is wrong because the log data only shows failed attempts (status: FAILED) and does not include any successful login events to calculate a percentage of successful user logins. Option C is wrong because system uptime is typically measured via server health checks or SNMP monitoring, not from authentication logs that track user login events. Option D is wrong because unauthorized changes to system configurations are tracked through change management logs, configuration management databases (CMDB), or audit trails of system files, not from authentication failure logs.

914
MCQhard

Based on the exhibit, what is the MOST significant risk exposure?

A.The policy does not include deny statements, so all access is allowed
B.The AdminRole can access both buckets
C.Public access to the public-bucket with no restrictions
D.The anonymous access to the confidential-bucket
AnswerC

Anyone (Principal: *) can get objects from the public-bucket, posing a data leakage risk.

Why this answer

Option C is correct because public access to the public-bucket with no restrictions means that anyone on the internet can read, write, or delete objects in that bucket. This is the most significant risk exposure because it directly exposes data to unauthorized users without any authentication or authorization controls, violating the principle of least privilege and potentially leading to data breaches or data loss.

Exam trap

The trap here is that candidates may focus on the absence of deny statements (Option A) or the presence of admin access (Option B) as the primary risk, but the most significant exposure is the unrestricted public access to the public-bucket, which directly violates data confidentiality.

How to eliminate wrong answers

Option A is wrong because the absence of deny statements does not automatically allow all access; access control policies in AWS S3 are evaluated based on the combination of bucket policies, IAM policies, and ACLs, and the default is to deny all access unless explicitly allowed. Option B is wrong because the AdminRole having access to both buckets is not inherently a risk; it is a legitimate administrative privilege that is expected and can be managed with proper controls. Option D is wrong because anonymous access to the confidential-bucket is not indicated in the exhibit; the exhibit shows that the confidential-bucket has a policy that denies anonymous access, so this option describes a scenario that does not exist.

915
Multi-Selecthard

A risk manager is assessing IT/OT convergence risks at a manufacturing plant. Which TWO of the following are primary risks introduced by connecting industrial control systems to the corporate network?

Select 2 answers
A.Attack path expansion from IT to OT
B.Reduced operational efficiency
C.Increased data storage costs
D.Legacy system vulnerabilities exposed
E.Simplified remote access
AnswersA, D

Network connectivity creates new vectors for attackers.

Why this answer

Attack path expansion allows attackers to move from IT to OT. Legacy systems often have weak security. Both are primary risks.

916
MCQmedium

A quantitative risk assessment for a server shows an ARO of 0.5 and SLE of $200,000. What is the ALE, and what does it imply?

A.ALE = $400,000; maximum possible loss
B.ALE = $100,000; single loss expectancy
C.ALE = $100,000; expected annual loss
D.ALE = $200,000; annual cost of controls
AnswerC

Correct calculation and interpretation.

Why this answer

ALE = ARO × SLE = 0.5 × $200,000 = $100,000. This means the expected annual loss from this risk is $100,000.

917
Multi-Selecteasy

An organization is creating a risk register for its IT risk universe. The risk manager needs to categorize risks to align with the enterprise risk management framework. Which TWO risk categories are most commonly used in IT risk identification?

Select 2 answers
A.Operational
B.Financial
C.Reputational
D.Compliance
E.Strategic
AnswersA, D

Operational risk covers IT system failures, process errors, and disruptions, making it a key category for IT risks.

Why this answer

Operational risk includes IT failures, and compliance risk includes regulatory violations. Strategic, financial, and reputational are also common but less directly tied to IT risk identification.

918
MCQeasy

Refer to the exhibit. Which of the following is the MOST critical risk that should be addressed first?

A.SSH protocol version 1.0 on 192.168.1.10
B.RDP with weak encryption on 192.168.1.20
C.SMB signing not required on 192.168.1.20
D.Apache HTTP Server 2.2.3 on 192.168.1.10
AnswerA

Critical vulnerability should be addressed first.

Why this answer

SSH protocol version 1.0 is critically vulnerable to multiple security flaws, including session key recovery and man-in-the-middle attacks, due to weak integrity checks and lack of strong cryptographic algorithms. Unlike the other options, which represent misconfigurations or outdated software that can be mitigated with patches or configuration changes, SSHv1.0 is a deprecated protocol with known, easily exploitable vulnerabilities that directly compromise confidentiality and integrity of administrative access. This makes it the most critical risk to address first, as it exposes the core management interface of the asset.

Exam trap

Cisco often tests the concept that deprecated protocol versions (like SSHv1.0) are inherently more critical than configuration weaknesses or outdated software versions, because they represent a fundamental architectural flaw that cannot be fixed by patching or configuration alone.

How to eliminate wrong answers

Option B (RDP with weak encryption on 192.168.1.20) is wrong because while weak encryption (e.g., 56-bit or RC4) is a security concern, RDP can often be hardened by enabling Network Level Authentication (NLA) or upgrading to TLS-based encryption, and the risk is less immediate than a deprecated protocol like SSHv1.0. Option C (SMB signing not required on 192.168.1.20) is wrong because SMB signing not being required allows for potential relay attacks (e.g., NTLM relay), but this is a configuration weakness that can be mitigated by enabling signing, and it does not expose the system to direct remote code execution or credential theft as easily as SSHv1.0. Option D (Apache HTTP Server 2.2.3 on 192.168.1.10) is wrong because while this version is outdated and has known vulnerabilities (e.g., CVE-2011-3192, CVE-2012-0883), it is a web server that can be isolated or patched, and the risk is less critical than a protocol-level vulnerability on a management interface like SSH.

919
MCQmedium

During a quarterly control effectiveness test, internal audit finds that a detective control missed 15% of security incidents. The control owner claims this is within the acceptable error rate of 20%. However, the risk practitioner notes that the missed incidents were high-severity. What should the risk practitioner do?

A.Accept the control as effective since it is within the threshold
B.Escalate the findings to senior management with a recommendation to enhance the control
C.Implement a compensating control to cover high-severity incidents
D.Recommend revising the KCI threshold to include severity weighting
AnswerB

Escalation ensures that the risk associated with missed high-severity incidents is communicated to decision-makers.

Why this answer

The risk practitioner should escalate the findings to senior management with a recommendation to enhance the control because the detective control's failure to detect 15% of incidents, while within the 20% acceptable error rate, specifically missed high-severity incidents. High-severity incidents pose a disproportionate risk to the organization, and a control that fails to detect them is not effective in mitigating critical risks, regardless of meeting a generic threshold. Escalation ensures that management is aware of the residual risk and can authorize appropriate enhancements, such as tuning the control's detection logic or implementing additional monitoring for high-severity events.

Exam trap

Cisco often tests the misconception that meeting a quantitative KCI threshold automatically means a control is effective, without considering the qualitative severity of the incidents missed.

How to eliminate wrong answers

Option A is wrong because accepting the control as effective based solely on the 20% threshold ignores the materiality of the missed incidents; a control that misses high-severity incidents is not effective for risk management, even if it meets a quantitative KCI. Option C is wrong because implementing a compensating control is a tactical response that should be directed by management after escalation, not a first action by the risk practitioner, and it bypasses the need to address the root cause of the control's failure to detect high-severity incidents. Option D is wrong because revising the KCI threshold to include severity weighting is a metric adjustment that does not directly address the immediate control deficiency; the practitioner must first report the finding to management, who can then decide on metric changes as part of a broader remediation plan.

920
MCQeasy

A company is conducting an IT risk assessment for the first time. Which of the following should be the FIRST step?

A.Identify all IT assets
B.Establish the risk assessment context
C.Analyze the likelihood and impact of threats
D.Implement mitigating controls
AnswerB

Establishing context is the initial step in the risk assessment process.

Why this answer

Before any risk assessment activities can begin, the organization must establish the context—defining the scope, risk appetite, criteria for risk evaluation, and the business objectives the assessment supports. Without this foundational step, subsequent identification of assets, threat analysis, or control implementation would lack alignment with business goals and could produce irrelevant or misleading results. This aligns with the ISACA Risk IT framework and the CRISC domain of IT Risk Assessment.

Exam trap

The trap here is that candidates often jump straight to identifying assets (Option A) because it seems like the most tangible first step, but they fail to recognize that without establishing context, the asset inventory may be scoped incorrectly or lack business alignment.

How to eliminate wrong answers

Option A is wrong because identifying all IT assets is a subsequent step that depends on knowing the scope and boundaries defined during context establishment; without context, asset identification may be incomplete or misaligned. Option C is wrong because analyzing likelihood and impact of threats occurs after threats and vulnerabilities have been identified, which itself follows context establishment and asset identification. Option D is wrong because implementing mitigating controls is a risk response activity that occurs only after risks have been assessed, evaluated, and a decision to treat them has been made.

921
MCQmedium

A company recently experienced a data breach due to an unpatched vulnerability in a public-facing web application. During the post-incident review, the IT risk manager notes that the vulnerability was identified by the vulnerability scanner six months ago but was not remediated because the patch required a critical database server restart. Which of the following is the BEST risk treatment decision to prevent a recurrence?

A.Ignore the vulnerability until the next maintenance window.
B.Escalate the risk to senior management for acceptance.
C.Implement a compensating control such as a web application firewall.
D.Accept the risk based on the low likelihood of exploitation.
AnswerC

A WAF can block exploitation attempts until a proper patch can be applied.

Why this answer

Option C is correct because implementing a web application firewall (WAF) as a compensating control provides virtual patching, blocking exploitation attempts at the application layer (e.g., SQL injection, path traversal) without requiring a database server restart. This directly addresses the root cause—the unpatched vulnerability—while avoiding the operational disruption that prevented the patch from being applied. A WAF can inspect HTTP/HTTPS traffic and filter malicious payloads based on signatures or behavioral rules, effectively reducing risk to an acceptable level until the next maintenance window.

Exam trap

The trap here is that candidates may confuse risk acceptance (Option D) with a valid treatment when the vulnerability has already been exploited, failing to recognize that a compensating control like a WAF is the only option that actively reduces risk without causing the operational disruption that prevented patching.

How to eliminate wrong answers

Option A is wrong because ignoring the vulnerability until the next maintenance window leaves the public-facing web application exposed to active exploitation, which contradicts the goal of preventing recurrence and violates the principle of timely risk treatment. Option B is wrong because escalating the risk to senior management for acceptance is a risk acceptance decision, not a risk treatment decision that actively reduces the likelihood or impact of exploitation; it merely formalizes inaction without adding any security controls. Option D is wrong because accepting the risk based on low likelihood is invalidated by the fact that the vulnerability was already exploited once, proving that the likelihood is not low and that the threat landscape is active.

922
MCQhard

A risk practitioner is using the ISACA risk scenario template to document a scenario. The template includes elements such as threat actor, threat type, event, asset/resource, timing, detection, and response. Which element describes the likelihood that the threat event will occur within a specific timeframe?

A.Threat type
B.Timing
C.Response
D.Detection
AnswerB

Timing addresses when the event could occur and its probability within that period.

Why this answer

The 'timing' element in the ISACA scenario template captures when the event might occur and the likelihood within that timeframe, which is a key factor in determining risk probability.

923
MCQhard

During a risk assessment of a legacy system, the assessor finds that no control is currently in place. The inherent risk level is 'critical'. The residual risk will be:

A.Medium
B.Critical
C.High
D.Low
AnswerB

No controls mean residual risk remains critical.

Why this answer

Residual risk is the level of risk remaining after controls are applied. Since the scenario explicitly states that no control is currently in place, the residual risk remains identical to the inherent risk level, which is 'critical'. Therefore, the residual risk is also critical.

Exam trap

The trap here is that candidates may assume residual risk is always lower than inherent risk, forgetting that without any controls, residual risk equals inherent risk by definition.

How to eliminate wrong answers

Option A is wrong because 'Medium' would imply that some risk reduction has occurred, but with no controls applied, the risk cannot be lowered from critical to medium. Option C is wrong because 'High' suggests a partial reduction in risk, which is not possible when no control exists to mitigate the inherent critical risk. Option D is wrong because 'Low' would require effective controls to significantly reduce the risk, which is absent in this scenario.

924
MCQmedium

During an IT risk assessment, the risk practitioner calculates the inherent risk score for a critical application as 25 (on a 5×5 matrix). After evaluating control effectiveness, the residual risk score is 9. What can be inferred about the controls?

A.Controls are effective in reducing the risk level
B.Additional controls are unnecessary
C.Controls are not effective because residual risk remains
D.The inherent risk was overestimated
AnswerA

Significant reduction from 25 to 9 indicates effective controls.

Why this answer

A reduction from 25 to 9 indicates controls are effective in reducing risk. High inherent risk does not automatically mean high residual risk; controls can reduce it significantly.

925
Multi-Selectmedium

A risk practitioner is conducting a business impact assessment for a critical application. Which TWO of the following are examples of direct financial costs? (Select TWO)

Select 2 answers
A.Incident response costs
B.Reputation damage
C.Regulatory fines
D.Lost business due to downtime
E.Recovery costs
AnswersA, E

Direct cost of responding to a breach.

Why this answer

Incident response and recovery costs are direct financial costs. Lost business and reputational damage are indirect costs.

926
Multi-Selecteasy

Which TWO of the following are primary sources of risk identification for IT projects?

Select 2 answers
A.Social media monitoring
B.Vendor marketing materials
C.Project documentation (e.g., scope, schedule, budget)
D.Stakeholder interviews
E.Industry benchmark reports
AnswersC, D

Project docs contain key risk information.

Why this answer

Project documentation such as scope, schedule, and budget is a primary source of risk identification because it defines the project's boundaries, constraints, and deliverables. Analyzing these documents helps identify risks related to scope creep, unrealistic timelines, or insufficient funding that could impact IT project success.

Exam trap

The trap here is that candidates often mistake external or secondary sources (like industry reports or social media) as primary risk identification sources, when in fact only project-specific documentation and direct stakeholder engagement are considered primary for IT projects.

927
MCQhard

A risk practitioner is asked to reduce the number of KRIs tracked from 50 to 20. Which KRIs should be prioritized for removal?

A.KRIs that have been consistently below threshold for two years
B.KRIs that are not directly mapped to any risk in the risk register
C.KRIs that require manual data collection
D.KRIs that have high volatility
AnswerB

Unmapped KRIs lack context and decision support.

Why this answer

KRIs that are not directly mapped to any risk in the risk register provide no actionable insight for risk monitoring or decision-making. Removing them reduces noise and ensures the remaining 20 KRIs are all linked to specific risks, which is essential for effective risk-based reporting and resource allocation.

Exam trap

The trap here is that candidates often confuse operational efficiency (manual collection) or statistical behavior (low threshold, high volatility) with the fundamental requirement that every KRI must be directly traceable to a specific risk in the risk register.

How to eliminate wrong answers

Option A is wrong because KRIs consistently below threshold for two years may indicate effective controls or low inherent risk, but they could still be valuable for confirming risk acceptance or control effectiveness; removal should be based on relevance, not just low readings. Option C is wrong because manual data collection is a cost or efficiency concern, not a criterion for whether a KRI is meaningful for risk monitoring; a manually collected KRI can still be critical if it maps to a high-priority risk. Option D is wrong because high volatility in a KRI often signals a risk that requires close monitoring; removing volatile KRIs could blind the organization to emerging threats or control failures.

928
Multi-Selecthard

Which THREE of the following are valid risk identification methods according to ISACA's Risk IT Framework? (Select exactly 3.)

Select 3 answers
A.Segregation of duties
B.Scenario analysis
C.Risk acceptance
D.SWOT analysis
E.Brainstorming
AnswersB, D, E

Scenario analysis explores possible future events to identify risks.

Why this answer

Scenario analysis is a valid risk identification method under ISACA's Risk IT Framework because it involves developing hypothetical scenarios to identify potential threats and vulnerabilities that could lead to risk events. This technique helps organizations anticipate and prepare for plausible adverse situations by analyzing their impact on IT assets and business objectives.

Exam trap

The trap here is that candidates often confuse risk identification techniques with risk response or control activities, mistakenly selecting segregation of duties or risk acceptance as valid identification methods when they are actually part of risk mitigation and risk treatment processes.

929
MCQmedium

A retail company is assessing the risk of a POS malware attack. Which approach would BEST quantify the potential financial impact?

A.Vulnerability scanning and penetration testing
B.Annualized Loss Expectancy (ALE) calculation based on past incidents
C.Scenario analysis with input from business and IT stakeholders
D.Failure Mode and Effects Analysis (FMEA)
AnswerC

Scenario analysis provides tailored impact estimates.

Why this answer

Scenario analysis with input from business and IT stakeholders is the best approach because it allows the organization to model specific POS malware attack scenarios, incorporating both technical threat vectors (e.g., memory scraping of track data) and business context (e.g., PCI DSS fines, card reissuance costs, brand damage). This collaborative method produces a more accurate and contextualized financial impact estimate than purely historical or technical assessments, especially for emerging or evolving threats like POS malware.

Exam trap

The trap here is that candidates often choose B (ALE based on past incidents) because it appears quantitative and straightforward, but the question asks for the BEST approach to quantify potential financial impact for a specific threat (POS malware), where historical data is often sparse or irrelevant, making scenario analysis with stakeholder input more accurate and forward-looking.

How to eliminate wrong answers

Option A is wrong because vulnerability scanning and penetration testing identify technical weaknesses and exploit paths but do not quantify financial impact in monetary terms; they are risk identification tools, not impact quantification methods. Option B is wrong because Annualized Loss Expectancy (ALE) calculation based on past incidents assumes historical frequency and impact remain constant, which is unreliable for POS malware where attack vectors, detection capabilities, and regulatory penalties change rapidly; it also fails to account for unique business-specific factors. Option D is wrong because Failure Mode and Effects Analysis (FMEA) is a reliability engineering tool focused on identifying failure modes and their effects on system function, not on quantifying financial loss from a targeted cyberattack like POS malware; it lacks the business context and monetary valuation needed for financial impact assessment.

930
MCQmedium

An organization's architecture review board (ARB) is evaluating a new solution architecture. What is the PRIMARY risk management role of the ARB in this context?

A.Identifying and mitigating security risks in the architecture
B.Selecting the technology vendor for the solution
C.Ensuring the solution aligns with the enterprise IT strategy
D.Approving the project budget and timeline
AnswerA

The ARB reviews for security risks and ensures they are addressed.

Why this answer

The ARB reviews solution architectures to identify and address security risks before implementation, ensuring alignment with the organization's risk appetite.

931
MCQmedium

A large retailer is implementing a new point-of-sale (POS) system. The project manager wants to identify risks related to payment card data security. Which risk identification technique would be MOST effective for this purpose?

A.Risk register review from past projects
B.Brainstorming session with the project team
C.Data Flow Diagram (DFD) review
D.SWOT analysis
AnswerC

A DFD shows how card data is processed, stored, and transmitted, highlighting risk points.

Why this answer

A Data Flow Diagram (DFD) review is most effective because it visually maps how payment card data moves through the POS system—from card swipe to authorization to storage—identifying exactly where data is at rest, in transit, or processed. This allows the team to pinpoint specific PCI DSS control gaps (e.g., unencrypted transmission, unnecessary retention) that other techniques might miss.

Exam trap

The trap here is that candidates often choose 'Brainstorming session with the project team' because it seems collaborative and proactive, but they fail to recognize that for technical data security risks, a structured, visual analysis like a DFD review is far more precise and complete.

How to eliminate wrong answers

Option A is wrong because a risk register from past projects captures generic historical risks but cannot reveal the unique data flows, integration points, or PCI DSS compliance gaps specific to this new POS system. Option B is wrong because a brainstorming session with the project team relies on subjective, unstructured input and may overlook subtle data-handling vulnerabilities that only a systematic diagram-based analysis can expose. Option D is wrong because SWOT analysis evaluates strengths, weaknesses, opportunities, and threats at a strategic level, not the granular technical details of payment data movement and storage required for PCI DSS risk identification.

932
MCQhard

A technology startup is developing a mobile payment application. During a risk identification workshop, the team identifies a risk that the application may not comply with Payment Card Industry Data Security Standard (PCI DSS) requirements. What is the BEST way to categorize this risk?

A.Compliance risk.
B.Strategic risk.
C.Operational risk.
D.Reputational risk.
AnswerA

Non-compliance with PCI DSS is a direct regulatory risk.

Why this answer

Non-compliance with PCI DSS is a direct violation of regulatory requirements, making it a compliance risk. For a mobile payment application handling cardholder data, PCI DSS mandates specific security controls (e.g., encryption of PAN, access controls, logging). Failure to meet these standards exposes the startup to fines, legal sanctions, and potential loss of the ability to process payments.

Exam trap

The trap here is that candidates confuse the primary risk category (compliance) with the potential business impact (reputational or operational), but CRISC expects the root cause—failure to meet a regulatory standard—to be classified as compliance risk.

How to eliminate wrong answers

Option B (Strategic risk) is wrong because strategic risk relates to high-level business decisions (e.g., entering a new market, choosing a technology stack) that affect long-term goals, not a specific regulatory mandate. Option C (Operational risk) is wrong because operational risk involves failures in day-to-day processes, systems, or human error (e.g., server downtime, transaction processing errors), not a compliance gap. Option D (Reputational risk) is wrong because reputational risk is a consequence of other risks (e.g., a data breach from non-compliance), not the primary categorization of the risk itself.

933
MCQmedium

Refer to the exhibit. If the control objective is to prevent unauthorized access via MFA, what does this test result indicate?

A.The control is ineffective because only 30 logins were sampled.
B.The control is fully effective.
C.The control is effective only if MFA is required for all users.
D.The control is effective for the sample but may not be for the population.
AnswerD

Test results apply only to the sample tested.

Why this answer

Option B is correct because the test result is based on a sample of 30 logins, so it indicates effectiveness for that sample but cannot guarantee effectiveness for the entire population. Option A is wrong because a single sample cannot prove full effectiveness. Option C is wrong because the sample size may be adequate statistically, but the result is limited.

Option D is wrong because the test does not assess the design requirement for all users; it tests operation.

934
Multi-Selectmedium

Which THREE of the following are components of Loss Magnitude in the FAIR framework?

Select 3 answers
A.Reputational damage
B.Vulnerability severity
C.Incident response costs
D.Recovery costs
E.Threat event frequency
AnswersA, C, D

Part of secondary loss.

Why this answer

FAIR splits Loss Magnitude into primary loss (direct costs) and secondary loss (indirect costs). Primary loss includes incident response and recovery; secondary loss includes reputation and lost business.

935
Multi-Selectmedium

Which TWO are characteristics of inherent risk?

Select 2 answers
A.Based on the effectiveness of current controls
B.Used to determine control gap
C.Risk level before controls
D.Risk level after controls
E.Based on the assumption that no controls exist
AnswersC, E

Inherent risk is without controls.

Why this answer

Inherent risk is defined as the risk level that exists before any controls are applied or considered. It represents the raw, untreated risk exposure that an organization would face if no mitigating actions were in place. This concept is foundational in risk assessment because it establishes the baseline against which the effectiveness of controls is measured.

Exam trap

The trap here is that candidates often confuse inherent risk with residual risk, mistakenly thinking that inherent risk includes the effect of existing controls, which is a common misconception tested in CRISC questions.

936
MCQmedium

A risk manager is evaluating a control that addresses a high-risk finding from an internal audit. Which of the following is the MOST important factor in determining whether the control is effective?

A.The vendor's reputation for providing reliable security solutions
B.Key control indicators (KCIs) such as control deficiency rate and test results
C.The cost of the control relative to the asset value
D.The control's alignment with industry best practices
AnswerB

KCIs measure actual control performance and are the most direct indicators of effectiveness.

Why this answer

B is correct because the effectiveness of a control is determined by its ability to reduce risk to an acceptable level, which is directly measured by key control indicators (KCIs) such as the control deficiency rate and test results. These metrics provide empirical evidence of whether the control is operating as intended and mitigating the identified high-risk finding. Without such performance data, any assessment of effectiveness is speculative.

Exam trap

The trap here is that candidates often confuse 'alignment with best practices' (Option D) with proof of effectiveness, but CRISC requires evidence of actual control performance, not just theoretical compliance.

How to eliminate wrong answers

Option A is wrong because a vendor's reputation does not guarantee that the specific control implementation is effective in the organization's unique environment; effectiveness must be validated through actual testing and monitoring. Option C is wrong because cost relative to asset value is a factor in cost-benefit analysis, not a direct measure of control effectiveness; a low-cost control can be effective, and a high-cost control can fail. Option D is wrong because alignment with industry best practices is a design consideration, not a proof of operational effectiveness; a control may follow best practices but still have implementation flaws or be insufficient for the specific risk context.

937
Multi-Selectmedium

An organization is integrating IT risk into its enterprise risk management (ERM) program. Which TWO of the following are key benefits of this integration?

Select 2 answers
A.Reduces the overall risk appetite of the organization
B.Eliminates the need for separate IT risk reporting
C.Guarantees that all IT risks are mitigated
D.Ensures IT risk is considered in strategic decisions
E.Provides a consistent risk language across the organization
AnswersD, E

Integration ensures IT risk is part of enterprise-level decisions.

Why this answer

Integrating IT risk into ERM allows for a holistic view of risk and ensures IT risk is considered alongside other operational risks.

938
MCQeasy

A company's control monitoring dashboard shows that a key control has been operating effectively for six months. However, a recent audit revealed a material weakness. Which of the following is the MOST likely reason?

A.The KRI thresholds were set incorrectly.
B.The control was not tested during the period.
C.The monitoring frequency was too low.
D.The control owner was not trained.
AnswerA

Incorrect thresholds can prevent detection of control failures, leading to a false effective status.

Why this answer

The dashboard shows the control operating effectively for six months, yet a material weakness was found. This discrepancy most likely arises because the Key Risk Indicator (KRI) thresholds were set incorrectly, meaning the monitoring system was calibrated to report acceptable risk levels even when the control was actually failing. Incorrect thresholds cause false positives in the dashboard, masking the true control deficiency.

Exam trap

The trap here is that candidates assume a control operating effectively on a dashboard must be working correctly, overlooking that the dashboard's accuracy depends on correctly configured KRI thresholds.

How to eliminate wrong answers

Option B is wrong because the control was being monitored continuously via the dashboard, implying it was tested; the issue is not lack of testing but flawed measurement. Option C is wrong because monitoring frequency being too low would typically show gaps or missing data points, not a consistent six-month record of effectiveness. Option D is wrong because lack of training would likely cause inconsistent control operation or procedural errors, not a systematic dashboard misrepresentation of effectiveness.

939
MCQhard

A multinational corporation operates in 15 countries with decentralized control monitoring systems. Each regional office uses different tools and processes for monitoring operational risks. The corporate risk team has consolidated quarterly reports, but the board recently raised concerns about inconsistencies and late identification of emerging risks. A root cause analysis revealed that regional monitoring teams define key risk indicators (KRIs) differently and report on different timeframes. Additionally, there is no centralized platform to aggregate data. The risk manager must recommend a solution that balances local autonomy with global visibility. Which option is the most effective?

A.Create a policy requiring regional risk teams to follow the same KRI definitions and reporting schedule.
B.Implement a centralized risk and control monitoring platform that aggregates data and enforces common reporting standards.
C.Standardize monitoring tools across all regions globally.
D.Increase the frequency of board risk committee meetings to twice per month.
AnswerB

Provides global visibility while allowing local input; addresses root cause of inconsistency.

Why this answer

A centralized risk and control monitoring platform standardizes data and reporting while allowing local customization via configurable thresholds. Global standardization (A) might ignore local nuances; policy alone (C) doesn't enforce consistency; increasing meeting frequency (D) does not address data inconsistency.

940
MCQhard

In a qualitative risk assessment using a 5x5 heat map, an IT risk is rated with likelihood 4 and impact 5. According to typical heat map conventions (5=Critical, 4=High, 3=Medium, 2=Low, 1=Informational), what is the overall risk rating?

A.Low
B.Medium
C.High
D.Critical
AnswerD

Correct. 4x5=20 is in the critical range (15-25).

Why this answer

In a typical 5x5 risk heat map, the overall risk rating is determined by the intersection of likelihood and impact values. With likelihood 4 and impact 5, the cell falls in the 'Critical' zone (commonly defined as likelihood 4-5 and impact 4-5). This aligns with the convention where 5=Critical, 4=High, 3=Medium, 2=Low, 1=Informational, making D the correct answer.

Exam trap

The trap here is that candidates may incorrectly multiply likelihood and impact (4 x 5 = 20) and then try to map that product to a rating, rather than using the heat map's intersection logic, leading them to choose 'High' instead of 'Critical'.

How to eliminate wrong answers

Option A is wrong because a likelihood of 4 and impact of 5 produce a risk score well above the threshold for 'Low' (which typically covers likelihood 1-2 and impact 1-2). Option B is wrong because 'Medium' risk usually corresponds to likelihood 2-3 and impact 2-3, not the high values given. Option C is wrong because while 'High' (rating 4) is close, the combination of likelihood 4 and impact 5 maps to the highest severity zone (Critical), not High, in standard heat map conventions.

941
Multi-Selecteasy

An organization is considering adopting the NIST Cybersecurity Framework to manage cybersecurity risk. Which of the following are core functions of the framework? (Choose TWO.)

Select 2 answers
A.Prevent
B.Mitigate
C.Protect
D.Analyze
E.Identify
AnswersC, E

Protect includes safeguards to limit impact.

Why this answer

The NIST CSF core functions include Identify, Protect, Detect, Respond, and Recover. Identify and Protect are two of them.

942
MCQeasy

An organization purchases cyber insurance to cover potential losses from data breaches. This is an example of:

A.Risk Avoidance
B.Risk Transfer
C.Risk Mitigation
D.Risk Acceptance
AnswerB

Insurance is a classic example of risk transfer.

Why this answer

Purchasing cyber insurance transfers the financial risk of a data breach to the insurer, making it a classic example of risk transfer. In risk management, transfer shifts the impact of a loss to a third party (e.g., an insurance carrier) without eliminating the underlying threat or vulnerability. This aligns with the CRISC domain of Risk Response and Mitigation, where transfer is a distinct response strategy.

Exam trap

The trap here is that candidates confuse risk transfer with risk mitigation, thinking insurance reduces the likelihood of a breach, when in fact it only shifts the financial consequences.

How to eliminate wrong answers

Option A is wrong because risk avoidance would mean eliminating the activity that causes the risk (e.g., not storing any sensitive data), not insuring against it. Option C is wrong because risk mitigation involves implementing controls (e.g., encryption, firewalls) to reduce the likelihood or impact of a breach, not transferring financial liability. Option D is wrong because risk acceptance means formally acknowledging the risk and bearing the potential loss without purchasing insurance or implementing additional controls.

943
MCQmedium

A critical vendor is being onboarded. The vendor risk appetite policy requires SOC 2 Type II reports for critical vendors. The vendor has provided a SOC 2 Type I report. What should the risk manager do?

A.Request a SOC 2 Type II report from the vendor
B.Downgrade the vendor to a lower tier
C.Exempt the vendor from the requirement
D.Accept the Type I report as sufficient
AnswerA

Correct: the policy requires Type II for critical vendors.

Why this answer

SOC 2 Type II covers controls over a period, providing more assurance than Type I. The requirement is Type II, so the vendor should be asked to provide it.

944
MCQhard

A risk manager is using the FAIR model to quantify cyber risk. After analyzing a ransomware scenario, the probable loss event frequency (LEF) is estimated at 0.2 per year, and the probable loss magnitude (LM) is $5 million. What is the annualized loss expectancy (ALE) in this scenario?

A.$500,000
B.$250,000
C.$5,000,000
D.$1,000,000
AnswerD

Correct calculation: 0.2 * 5,000,000 = 1,000,000.

Why this answer

ALE = LEF * LM = 0.2 * $5,000,000 = $1,000,000.

945
MCQhard

A risk practitioner is designing a quarterly IT risk report for the CISO. Which of the following elements is MOST critical for tactical decision-making?

A.Top risks and status
B.Risk heat map
C.Upcoming risk events
D.Control performance metrics
AnswerD

These metrics (e.g., deficiency rates, test results) enable the CISO to make decisions about control improvements.

Why this answer

Control performance metrics (D) are most critical for tactical decision-making because they provide quantifiable, real-time data on how well existing security controls are operating. Tactical decisions require immediate, actionable insights—such as whether a firewall rule is blocking 95% of malicious traffic or if a patch management process is meeting its 30-day SLA—rather than high-level summaries or future projections. Without control metrics, the CISO cannot assess the effectiveness of current defenses or prioritize remediation efforts.

Exam trap

Cisco often tests the distinction between strategic, tactical, and operational reporting levels, and the trap here is that candidates confuse a risk heat map (a common visual tool) with actionable data, when in fact it is a strategic summary that lacks the control-specific metrics needed for tactical decisions.

How to eliminate wrong answers

Option A is wrong because 'top risks and status' is a strategic summary that informs long-term risk appetite and governance, not the granular, operational data needed for day-to-day tactical adjustments. Option B is wrong because a risk heat map provides a static, aggregated view of risk levels at a point in time, lacking the dynamic, control-specific performance data required for immediate tactical responses. Option C is wrong because 'upcoming risk events' are forward-looking and relevant for planning, but they do not reflect the current state of control effectiveness, which is essential for tactical decisions like reallocating resources or tuning controls.

946
MCQhard

A company has an inherent risk score of 20 for a specific threat. After implementing controls, the control effectiveness is assessed as 60% (design adequacy 70%, operating effectiveness 85%). What is the approximate residual risk score?

A.14
B.6
C.8
D.12
AnswerC

20 × (1 - 0.6) = 8.

Why this answer

Residual risk = Inherent risk × (1 - Control effectiveness). Control effectiveness = 0.6. Residual risk = 20 × 0.4 = 8.

947
MCQmedium

An internal audit found that a control designed to prevent duplicate payments was bypassed in 5% of transactions. The control owner argues that the control is still effective because the bypass rate is low. What is the BEST response from a risk perspective?

A.Accept the bypass rate as within acceptable tolerance.
B.Document that the control is 95% effective and close the finding.
C.Investigate why bypasses occur and implement compensating controls.
D.Re-classify the control as a detective control instead of preventive.
AnswerC

Root cause analysis is needed.

Why this answer

Option C is the best response because a 5% bypass rate indicates a control weakness that could lead to financial loss or fraud. From a risk perspective, the root cause of the bypasses must be investigated to understand why the control is being overridden, and compensating controls should be implemented to mitigate the residual risk. Simply accepting or documenting the rate without action ignores the potential for systemic issues or targeted exploitation.

Exam trap

The trap here is that candidates may assume a low bypass rate is automatically acceptable (Option A) or that documenting effectiveness is sufficient (Option B), without recognizing that risk management requires understanding and addressing the root cause of control failures, not just measuring their frequency.

How to eliminate wrong answers

Option A is wrong because accepting the bypass rate as within acceptable tolerance without understanding the root cause or business impact is premature and ignores the risk that even a 5% bypass could result in significant duplicate payments over time. Option B is wrong because documenting the control as 95% effective and closing the finding fails to address the underlying control weakness and does not ensure that the bypasses are not indicative of a larger process or system flaw. Option D is wrong because re-classifying the control as detective instead of preventive does not resolve the issue; it merely changes the label, while the control's purpose (preventing duplicate payments) remains unfulfilled, and the bypasses still need to be addressed.

948
MCQmedium

An organization is updating its IT risk universe. Which of the following is the MOST important factor to consider when defining the universe?

A.Historical loss data only
B.All potential IT risks regardless of likelihood, including cyber, operational, compliance, third-party, project, and change risks
C.Risks that are within the current budget to mitigate
D.Only risks that have been realized in the past year
AnswerB

The universe should be exhaustive to ensure no risks are overlooked.

Why this answer

The risk universe should be comprehensive, covering all potential risks from various sources.

949
MCQhard

You are the IT risk manager for a mid-sized e-commerce company that processes over 10,000 transactions per day. The company recently migrated its customer database from an on-premises SQL Server to a cloud-based PostgreSQL instance on AWS RDS. The database contains personally identifiable information (PII) including names, addresses, and credit card numbers (stored as encrypted tokens). The migration was performed by the DevOps team with minimal involvement from the security team. Two weeks after the migration, the company experienced a data breach where an attacker exfiltrated a subset of customer records. The forensic investigation revealed that the attacker exploited a misconfigured security group that allowed inbound traffic from the internet on port 5432 (PostgreSQL default port). Additionally, the database had a publicly accessible endpoint, and the master user password was weak (eight characters, no special characters). The attacker used a brute-force attack to guess the password. The security group has since been corrected, and the password has been changed to a strong one. The breach notification laws require reporting within 72 hours. The CEO wants to understand the root cause and prevent recurrence. As the risk manager, which of the following actions should you recommend as the MOST effective to prevent a similar incident?

A.Implement infrastructure-as-code (IaC) security scanning and policy enforcement in the CI/CD pipeline to prevent insecure configurations.
B.Deploy an intrusion detection system (IDS) to monitor database traffic for brute-force attempts.
C.Hire a dedicated database administrator to review all database configurations weekly.
D.Conduct quarterly security audits of cloud infrastructure configurations.
AnswerA

Automated enforcement prevents misconfigurations from being deployed.

Why this answer

Option C is correct because the root cause is the misconfigured security group and weak password, both of which stem from insufficient security review and lack of automated controls. Implementing a policy-as-code tool that enforces security group rules (e.g., no public access to databases) and password policies during deployment would prevent such misconfigurations. Option A is wrong because while a dedicated DBA could help, it does not address the process gap for automated enforcement.

Option B is wrong because quarterly reviews are too infrequent to catch misconfigurations quickly. Option D is wrong because IDS/IPS detects attacks but does not prevent misconfigurations.

950
Multi-Selecteasy

Which TWO of the following are key attributes of effective risk reporting?

Select 2 answers
A.Includes full risk register details
B.Only issued when a risk incident occurs
C.Provides actionable information for decision-makers
D.Tailored to the specific needs of the audience
E.Sent to all employees by email
AnswersC, D

Purpose of reporting.

Why this answer

Effective risk reporting must provide actionable information that enables decision-makers to prioritize and respond to risks. Option C is correct because reports should highlight key risk indicators (KRIs), trends, and control effectiveness, not just raw data, so that management can make informed decisions about risk treatment and resource allocation.

Exam trap

The trap here is that candidates often mistake completeness (full risk register) for effectiveness, not realizing that effective reporting is about relevance and conciseness for the specific audience, not data volume.

951
MCQeasy

An organization is designing a risk indicator monitoring program for its key financial risks. Which of the following is the BEST example of a key risk indicator (KRI) for credit risk?

A.Percentage of loans that are in default or non-performing.
B.Number of employees who completed cybersecurity training.
C.Percentage of network uptime over the past month.
D.Employee turnover rate in the finance department.
AnswerA

This directly measures credit risk.

Why this answer

A key risk indicator (KRI) for credit risk must directly measure the likelihood or impact of a borrower failing to meet their obligations. The percentage of loans that are in default or non-performing is a direct, quantitative measure of credit risk exposure, as it reflects the actual realization of credit losses. This aligns with the CRISC focus on monitoring risk levels to trigger timely responses.

Exam trap

The trap here is that candidates confuse KRIs with KPIs or operational metrics, selecting a generic performance measure (like training completion or uptime) instead of a risk-specific indicator that directly quantifies credit exposure.

How to eliminate wrong answers

Option B is wrong because the number of employees who completed cybersecurity training is a key performance indicator (KPI) for security awareness, not a KRI for credit risk; it measures activity, not the creditworthiness of borrowers. Option C is wrong because percentage of network uptime is an operational risk KRI related to IT availability, not a measure of credit risk. Option D is wrong because employee turnover rate in the finance department is a human resources metric that may indicate operational inefficiency but does not directly measure the probability of default or credit loss.

952
MCQmedium

A risk assessment reveals that a legacy system has a high likelihood of failure. The system is critical and cannot be replaced immediately. The company decides to implement manual overrides and additional monitoring. This is an example of:

A.Risk Transfer
B.Risk Mitigation
C.Risk Acceptance
D.Risk Avoidance
AnswerB

Manual overrides and monitoring reduce the likelihood or impact of failure.

Why this answer

Implementing manual overrides and additional monitoring reduces the probability or impact of the legacy system failure without eliminating the risk entirely. This is the definition of risk mitigation, as it applies controls to lower the residual risk to an acceptable level while the system remains in operation.

Exam trap

The trap here is that candidates confuse 'risk mitigation' with 'risk acceptance' because the system is still running with known vulnerabilities, but the key differentiator is that active controls are being applied to reduce the risk, not merely acknowledged.

How to eliminate wrong answers

Option A is wrong because risk transfer would involve shifting the financial burden of failure to a third party (e.g., purchasing cyber insurance or outsourcing the system), not adding internal controls. Option C is wrong because risk acceptance means formally acknowledging the risk without taking any action to reduce it, which contradicts the decision to implement overrides and monitoring. Option D is wrong because risk avoidance would require removing the system or the activity causing the risk, such as decommissioning the legacy system entirely, which is explicitly stated as not immediately possible.

953
MCQeasy

Which of the following is a limitation of quantitative risk analysis?

A.Results are not comparable across organizations.
B.It is data-intensive and time-consuming.
C.It is subjective and difficult to communicate.
D.It does not provide financially meaningful values.
AnswerB

Quantitative methods require reliable data and significant effort.

Why this answer

Quantitative analysis requires detailed data and is time-consuming, which can be a significant limitation.

954
MCQmedium

A risk analyst is building a risk register. After identifying a list of risks, what is the NEXT step in the risk identification process according to ISACA best practices?

A.Assign risk owners
B.Categorize the risks
C.Determine risk response
D.Assess the inherent risk level
AnswerB

Categorization is the next logical step to organize risks.

Why this answer

After identification, risks should be categorized to enable proper analysis and response. Categorization helps in understanding the nature of each risk and assigning ownership.

955
MCQmedium

Which of the following is the BEST Key Control Indicator (KCI) for measuring the effectiveness of a firewall?

A.Percentage of blocked intrusion attempts
B.Time since last firewall firmware update
C.Number of firewall rule changes per month
D.Number of firewall alerts generated
AnswerA

This directly measures how well the firewall is performing its preventive function.

Why this answer

The percentage of blocked intrusion attempts directly measures how effectively the firewall is enforcing its security policies to prevent unauthorized access. A high block rate indicates the firewall is correctly identifying and stopping threats, making it the most direct KCI for firewall effectiveness.

Exam trap

The trap here is confusing operational metrics (like patch age or change volume) with direct effectiveness metrics, leading candidates to choose a maintenance or activity indicator instead of a performance-based KCI.

How to eliminate wrong answers

Option B is wrong because time since last firmware update measures maintenance hygiene, not operational effectiveness; a firewall can be fully patched but still misconfigured. Option C is wrong because the number of rule changes per month measures administrative churn, not how well the firewall blocks threats; many changes could indicate instability or poor design. Option D is wrong because the number of alerts generated measures noise or volume, not effectiveness; a high alert count could result from false positives or benign traffic, not actual intrusion prevention.

956
MCQeasy

During a risk assessment for a critical financial application, the IT risk manager identifies a vulnerability in the application's authentication module. The exploit would require authenticated access. Which risk rating is most appropriate if the vulnerability has a CVSS base score of 9.0, but the application is behind a strong firewall and requires two-factor authentication?

A.Medium, after considering the compensating controls
B.Low, because the application requires authenticated access
C.High, because CVSS base score is 9.0
D.Very high, due to the criticality of the application
AnswerA

Compensating controls reduce the likelihood of exploitation.

Why this answer

Option A is correct because the CVSS base score of 9.0 reflects the intrinsic severity of the vulnerability, but the final risk rating must incorporate compensating controls. The strong firewall and two-factor authentication (2FA) significantly reduce the likelihood of exploitation, as the attacker would need to bypass both network-level filtering and an additional authentication factor. In CRISC methodology, risk is a function of likelihood and impact; here, the controls lower the likelihood, resulting in a Medium residual risk rating despite the high base score.

Exam trap

The trap here is that candidates assume a high CVSS base score automatically dictates a High or Very High risk rating, ignoring the CRISC principle that risk must be evaluated after applying compensating controls and environmental modifiers.

How to eliminate wrong answers

Option B is wrong because requiring authenticated access does not automatically make the risk Low; the vulnerability still exists and could be exploited by an authenticated user, and the CVSS score already accounts for the attack vector (network) and complexity (low). Option C is wrong because the CVSS base score alone does not determine the final risk rating; it must be adjusted for environmental and compensating controls per the CVSS specification (e.g., modified attack vector, modified authentication). Option D is wrong because application criticality influences impact but not the final risk rating without considering likelihood; the compensating controls reduce the likelihood, so Very High is not appropriate.

957
MCQeasy

When integrating IT risk into the enterprise risk management (ERM) program, what is the PRIMARY benefit?

A.Improved compliance with IT standards
B.Reduced IT operational costs
C.Increased frequency of risk assessments
D.Better alignment of IT risk with business objectives
AnswerD

Integration ensures IT risks are managed in line with enterprise goals.

Why this answer

Integrating IT risk into ERM ensures that IT risk decisions are directly linked to business strategy and objectives, enabling leadership to prioritize risks that could impact critical business outcomes. This alignment is the primary benefit because it transforms IT risk from a technical concern into a strategic business driver, facilitating better resource allocation and governance.

Exam trap

The trap here is that candidates confuse operational benefits (cost reduction, compliance, or process frequency) with the strategic benefit of business alignment, which is the core purpose of integrating IT risk into ERM.

How to eliminate wrong answers

Option A is wrong because improved compliance with IT standards is a secondary outcome, not the primary benefit; compliance supports risk management but does not inherently align IT risk with business goals. Option B is wrong because reducing IT operational costs is a potential operational efficiency gain, not the core purpose of ERM integration, which focuses on strategic risk alignment rather than cost-cutting. Option C is wrong because increased frequency of risk assessments is a tactical process change that does not guarantee better business alignment; ERM integration prioritizes relevance and decision-making over assessment cadence.

958
MCQhard

During a third-party risk assessment, a vendor is classified as 'critical' due to its access to sensitive customer data. According to the organization's vendor risk appetite, what is the minimum security requirement for this vendor?

A.SOC 2 Type II report
B.Annual compliance attestation
C.Penetration test results from the vendor
D.Self-assessment questionnaire only
AnswerA

Correct. This is a common requirement for high-risk vendors.

Why this answer

A SOC 2 Type II report is the minimum security requirement for a critical vendor because it provides an independent audit of controls over security, availability, processing integrity, confidentiality, and privacy over a period of time (typically 6–12 months). This aligns with the organization's risk appetite for sensitive customer data, as it offers more assurance than a point-in-time assessment or self-report.

Exam trap

The trap here is that candidates often choose penetration test results (Option C) thinking they are the most technical and thorough, but fail to recognize that for critical vendors, ongoing control effectiveness over time (SOC 2 Type II) is more aligned with risk appetite than a single point-in-time test.

How to eliminate wrong answers

Option B is wrong because an annual compliance attestation is a self-declaration without independent verification, which is insufficient for a critical vendor handling sensitive customer data. Option C is wrong because penetration test results, while valuable, are point-in-time and do not cover the breadth of operational controls (e.g., access management, encryption) that a SOC 2 Type II report addresses. Option D is wrong because a self-assessment questionnaire relies solely on the vendor's own assertions and lacks the objectivity and rigor required for critical vendors.

959
MCQmedium

A risk register is being updated after a quarterly risk assessment. One risk has decreased in likelihood due to new controls. However, the risk score remains unchanged because the impact increased. What should the risk practitioner do?

A.Remove the risk from the register because it is under control
B.Recalculate the risk score using the new likelihood and impact values
C.Automatically accept the risk because likelihood decreased
D.Escalate to senior management for a new risk treatment plan
AnswerB

The risk score should be based on current likelihood and impact; if impact increased, the score may stay the same or increase.

Why this answer

The risk score is a function of both likelihood and impact. Even though new controls reduced likelihood, the increased impact means the overall risk level may remain unchanged. The correct action is to recalculate the risk score using the updated values to reflect the current risk posture accurately, as required by the risk assessment process.

Exam trap

The trap here is that candidates assume a decrease in likelihood automatically lowers the risk score, ignoring that a simultaneous increase in impact can offset that reduction, leading them to prematurely accept or escalate the risk without recalculating.

How to eliminate wrong answers

Option A is wrong because removing a risk from the register simply because it is 'under control' ignores the fact that the impact has increased, which could still result in an unacceptable residual risk; risks are removed only when they are fully mitigated or no longer relevant. Option C is wrong because automatically accepting a risk solely because likelihood decreased disregards the increased impact, which may push the risk beyond the organization's risk appetite; acceptance requires a formal decision based on the full risk profile. Option D is wrong because escalating to senior management for a new treatment plan is premature; the first step is to recalculate the risk score to determine if the risk level has actually changed, and only then decide if further treatment is needed.

960
MCQeasy

After a risk assessment, a company decides to stop using a third-party service that has high residual risk. This is an example of:

A.Risk Mitigation
B.Risk Avoidance
C.Risk Transfer
D.Risk Acceptance
AnswerB

Avoidance is the decision not to engage in the risk-prone activity.

Why this answer

By discontinuing the use of the third-party service, the company eliminates the risk entirely rather than reducing or accepting it. This is the definition of risk avoidance, where the activity giving rise to the risk is ceased. The decision is based on the residual risk being too high to be acceptable or cost-effectively mitigated.

Exam trap

The trap here is that candidates confuse 'avoidance' with 'mitigation' because both involve action, but avoidance eliminates the risk source entirely, whereas mitigation reduces but does not remove the risk.

How to eliminate wrong answers

Option A is wrong because risk mitigation involves implementing controls to reduce the likelihood or impact of a risk, not stopping the activity entirely. Option C is wrong because risk transfer would involve shifting the risk to another party (e.g., through insurance or outsourcing), not ceasing the service. Option D is wrong because risk acceptance means formally acknowledging and tolerating the residual risk without taking further action, which is the opposite of stopping the service.

961
MCQhard

A SIEM event shows multiple failed logins followed by a successful login for the service account 'svc-backup'. The risk practitioner is evaluating the controls. Which finding is MOST significant?

A.The service account has excessive database privileges
B.The failed login events were not logged in real time
C.Failed logins indicate a possible brute force attack
D.A service account is authenticating with a password rather than a certificate
AnswerD

Service accounts should use strong, non-password authentication.

Why this answer

Option D is correct because service accounts should authenticate using non-replayable methods like certificates or managed service accounts (gMSA) rather than static passwords. A password-based authentication for a privileged service account, especially after a series of failed logins, indicates a high risk of credential compromise and lateral movement, making this the most significant finding from a risk monitoring perspective.

Exam trap

The trap here is that candidates focus on the brute force indicator (failed logins) or logging delays, missing that the core risk is the authentication method itself—a password for a service account—which is a fundamental control weakness that enables credential theft and lateral movement.

How to eliminate wrong answers

Option A is wrong because while excessive database privileges are a concern, the question focuses on the authentication event pattern; privilege misuse is a separate control issue not directly indicated by the failed-then-successful login sequence. Option B is wrong because the SIEM event already shows the failed logins were captured; the timing of logging (real-time vs. batch) is a monitoring efficiency issue, not the most significant risk in this specific scenario. Option C is wrong because failed logins alone do not confirm a brute force attack; they could be due to misconfiguration or user error, and the successful login after failures is the critical indicator of potential compromise, not just the failed attempts.

962
MCQeasy

Which of the following is the BEST indicator that a risk assessment's results are reliable?

A.It is based on a standard framework such as ISO 31000.
B.It uses the most recent threat intelligence.
C.It includes both quantitative and qualitative methods.
D.It is performed by an external consultant.
AnswerB

Current threat intelligence ensures relevance and accuracy.

Why this answer

B is correct because the reliability of a risk assessment hinges on the accuracy and timeliness of its inputs. Using the most recent threat intelligence ensures that the assessment reflects the current threat landscape, including newly discovered vulnerabilities, active exploit campaigns, and emerging attack vectors. Without current intelligence, even a perfectly structured assessment will produce outdated risk scores that fail to represent actual exposure.

Exam trap

The trap here is that candidates often confuse methodological rigor (framework, mixed methods, or external objectivity) with data reliability, failing to recognize that the freshness and relevance of threat intelligence is the single most critical factor for producing trustworthy risk assessment results.

How to eliminate wrong answers

Option A is wrong because using a standard framework like ISO 31000 provides a structured methodology but does not guarantee that the underlying data (e.g., threat likelihood, asset values) is accurate or current; a framework is a process, not a data quality control. Option C is wrong because combining quantitative and qualitative methods improves comprehensiveness but does not address the timeliness or accuracy of the input data; both methods can produce unreliable results if fed stale or incorrect information. Option D is wrong because an external consultant may bring independence and expertise, but their work is still dependent on the quality of the threat intelligence and data they use; an external consultant using outdated intelligence is no more reliable than an internal team doing the same.

963
MCQeasy

An external audit finds that a control is not operating as designed. The auditor recommends corrective action. What should the risk practitioner do FIRST?

A.Implement the auditor's recommendation immediately
B.Develop a remediation plan with the control owner
C.Update the risk register with the auditor's finding
D.Assess the impact of the control deficiency on residual risk
AnswerD

Understanding impact drives prioritization.

Why this answer

The risk practitioner must first assess the impact of the control deficiency on residual risk because the finding may not represent a material risk to the organization. Without understanding the severity and likelihood of the risk, any remediation or reporting could be misprioritized. This aligns with the CRISC framework's emphasis on risk-based decision-making before action.

Exam trap

The trap here is that candidates confuse the urgency of an audit finding with the need for immediate action, when the correct first step is always to evaluate the risk impact before any remediation or reporting.

How to eliminate wrong answers

Option A is wrong because implementing the auditor's recommendation immediately bypasses risk analysis and may waste resources on low-impact findings or introduce unintended side effects. Option B is wrong because developing a remediation plan without first understanding the risk impact could lead to misaligned controls or over-investment in non-critical areas. Option C is wrong because updating the risk register is a documentation step that should follow the impact assessment to ensure the register reflects accurate risk levels.

964
Multi-Selecthard

Which THREE factors should be considered when determining the inherent risk level of a new IT project prior to any controls?

Select 3 answers
A.Regulatory requirements governing the project's outcomes.
B.Past security incidents in similar projects.
C.Complexity of the project's technology stack.
D.Experience level of the project team.
E.Extent of external network connectivity.
AnswersA, C, E

Strict regulations increase the consequence of non-compliance, raising inherent risk.

Why this answer

Regulatory requirements (A) are a key factor in determining inherent risk because they impose mandatory compliance obligations that, if unmet, can result in legal penalties, fines, or operational shutdowns. For a new IT project, the inherent risk level is assessed based on the nature of the data processed and the applicable laws (e.g., GDPR, HIPAA, PCI DSS) before any controls are applied. This is a fundamental input to the risk assessment, as non-compliance risk exists independently of any security measures.

Exam trap

The trap here is that candidates often confuse inherent risk factors with control factors, mistakenly selecting team experience (D) or historical incidents (B) as inherent risk drivers, when in fact these are inputs for control effectiveness or residual risk assessment.

965
MCQmedium

You are a risk analyst for a financial institution that uses a legacy mainframe system for core banking transactions. The mainframe is critical for daily operations, but it is no longer supported by the vendor. The system has known vulnerabilities that cannot be patched due to compatibility issues. The institution has a risk appetite that is very low for any disruption to core banking services. Recently, there was a minor outage caused by a hardware failure, which was resolved quickly, but it highlighted the system's fragility. The IT director proposes to migrate to a modern system, but the migration will take 2 years and cost $5 million. The board is concerned about the cost and timeline. You need to recommend an immediate risk treatment to reduce the likelihood of a major outage while the migration is underway. Which of the following is the BEST course of action?

A.Accept the risk because the migration plan is in place.
B.Implement redundant hardware for critical components and conduct regular failover testing.
C.Negotiate with the vendor for extended support.
D.Purchase business interruption insurance to cover potential losses.
AnswerB

Redundancy reduces the likelihood of a single point of failure and testing ensures readiness.

Why this answer

Option B is correct because implementing redundant hardware for critical components and conducting regular failover testing directly reduces the likelihood of a major outage by addressing the single point of failure exposed by the recent hardware failure. This is an immediate risk treatment that does not depend on the 2-year migration timeline, and it aligns with the institution's very low risk appetite for core banking disruption.

Exam trap

The trap here is that candidates may choose option D (insurance) because it seems like a quick financial fix, but CRISC emphasizes that risk treatment must first address likelihood reduction before considering financial transfer, especially when the risk appetite is very low.

How to eliminate wrong answers

Option A is wrong because simply accepting the risk while the migration is underway ignores the immediate fragility highlighted by the recent outage and the known unpatched vulnerabilities; risk acceptance is not appropriate when the risk appetite is very low and a treatment is feasible. Option C is wrong because the system is no longer supported by the vendor, so negotiating for extended support is unlikely to succeed or may only provide limited, costly patches that do not address the hardware fragility; it also does not reduce the likelihood of a hardware-related outage. Option D is wrong because purchasing business interruption insurance only transfers the financial impact of a major outage, not the likelihood of it occurring; it does nothing to reduce the probability of a disruption, which is the primary concern given the very low risk appetite.

966
MCQmedium

When using STRIDE for threat modeling, which threat category involves an attacker gaining unauthorized access to a system by pretending to be a legitimate user?

A.Repudiation
B.Information Disclosure
C.Tampering
D.Spoofing
AnswerD

Spoofing involves impersonation to gain unauthorized access.

Why this answer

Spoofing in STRIDE refers to impersonating something or someone else to gain unauthorized access, such as using stolen credentials.

967
MCQmedium

Which of the following threat actors is MOST likely to be motivated by financial gain and possess moderate to high technical capabilities?

A.Organized crime
B.Hacktivist
C.Nation-state APT
D.Script kiddie
AnswerA

Organized crime is financially motivated and can have high technical capabilities.

Why this answer

Organized crime groups are primarily motivated by financial gain and often have sophisticated technical skills to carry out attacks such as ransomware, data theft, or fraud.

968
MCQmedium

In developing a risk scenario, connecting a threat event to business impact is crucial. Which of the following is the BEST example of a properly connected risk scenario?

A.A firewall misconfiguration allows unauthorized access, causing a security incident.
B.A ransomware attack encrypts files, leading to IT department overtime.
C.An insider steals data, leading to legal fees.
D.A DDoS attack causes website unavailability for 4 hours, resulting in $500,000 lost sales and customer churn.
AnswerD

Clearly connects the event to financial and reputational impact.

Why this answer

A proper connection shows the chain from threat to impact on business.

969
Multi-Selecthard

Which THREE of the following are essential components of a risk register that should be documented during risk identification? (Select exactly 3.)

Select 3 answers
A.Quantified monetary impact
B.Risk owner
C.Root cause
D.Mitigation plan
E.Risk description
AnswersB, C, E

Assigning an owner ensures accountability for managing the risk.

Why this answer

The risk register is a foundational artifact in IT risk management, and during the identification phase, its essential components are the risk description (to uniquely identify the risk), the risk owner (to assign accountability), and the root cause (to understand the underlying source). These three elements are documented before any quantitative analysis or mitigation planning occurs, as they form the basis for subsequent risk assessment and response.

Exam trap

The trap here is that candidates often confuse the risk identification phase with the risk assessment phase, selecting 'Quantified monetary impact' because they think it is needed upfront, when in fact it is only determined after the risk has been identified and analyzed.

970
MCQhard

After implementing multiple controls, the residual risk for a new product launch is still slightly above the risk appetite. The risk manager decides to proceed with the launch and monitor the risks regularly. This is:

A.Risk Transfer
B.Risk Avoidance
C.Risk Acceptance
D.Risk Mitigation
AnswerC

Acceptance is appropriate when residual risk is still above appetite but the decision is made to tolerate it.

Why this answer

The risk manager's decision to proceed with the launch despite residual risk exceeding the risk appetite, while committing to regular monitoring, is the definition of risk acceptance. In IT risk management, this acknowledges that the remaining risk is tolerable for business objectives, and the monitoring plan ensures any escalation is detected early. This is not a passive decision but an active, documented acceptance of the residual risk level.

Exam trap

Cisco often tests the nuance that risk acceptance is not inaction but a deliberate, documented decision to tolerate residual risk above appetite with ongoing monitoring, which candidates mistakenly confuse with risk mitigation or avoidance.

How to eliminate wrong answers

Option A is wrong because risk transfer would involve shifting the financial impact of the risk to a third party (e.g., cyber insurance or outsourcing), not proceeding with internal monitoring. Option B is wrong because risk avoidance would mean canceling or not launching the product to eliminate the risk entirely, which contradicts the decision to proceed. Option D is wrong because risk mitigation would require implementing additional controls to reduce the residual risk below the appetite, not accepting it above the threshold.

971
Multi-Selecthard

A financial services company is implementing a vendor risk management program. Which THREE of the following are key components of an effective vendor risk assessment process? (Select THREE)

Select 3 answers
A.Contract compliance reviews
B.Ongoing monitoring via annual reassessments
C.Review of vendor's cyber insurance policy
D.Initial onboarding assessment including security questionnaires
E.Vendor self-assessment without validation
AnswersA, B, D

Ensuring vendors meet contractual security requirements is essential.

Why this answer

Contract compliance reviews (A) are a key component because they verify that vendors are meeting agreed-upon service level agreements (SLAs), security clauses, and regulatory requirements. This ensures that contractual obligations, such as data protection standards and incident response timelines, are being enforced and that any deviations are identified and remediated. Without this review, the organization cannot confirm that the vendor's actual practices align with the risk posture agreed upon during onboarding.

Exam trap

The trap here is that candidates often confuse risk transfer mechanisms (like cyber insurance) with risk assessment activities, leading them to select option C, when in fact insurance does not evaluate the vendor's actual security posture or operational risk.

972
MCQeasy

When prioritizing risk treatment actions, which factor is most important to consider alongside the risk level?

A.Cost-benefit analysis of controls
B.Number of stakeholders involved
C.Regulatory requirements only
D.Time required to implement controls
AnswerA

Prioritization should consider the cost-effectiveness of controls.

Why this answer

Risk treatment prioritization must balance the cost of controls against the expected reduction in risk. A cost-benefit analysis ensures that the selected controls provide a net positive value, preventing over-investment in low-impact risks or under-investment in high-impact ones. This aligns with the ISACA Risk IT Framework, which emphasizes that risk treatment decisions should be economically justified.

Exam trap

The trap here is that candidates often prioritize regulatory compliance or implementation speed over economic justification, but CRISC emphasizes that risk treatment must be cost-effective to ensure sustainable risk management.

How to eliminate wrong answers

Option B is wrong because the number of stakeholders involved does not directly determine the effectiveness or efficiency of risk treatment; while stakeholder input is important, it is secondary to the economic justification of controls. Option C is wrong because regulatory requirements are only one subset of risk treatment drivers; focusing solely on them ignores other critical factors like operational impact and cost, leading to suboptimal risk management. Option D is wrong because time to implement is a scheduling constraint, not a primary decision factor; a quick fix that is not cost-effective may waste resources and fail to address the root risk.

973
Multi-Selectmedium

An OT environment is being assessed for compliance with IEC 62443. Which TWO of the following are key security requirements of this standard?

Select 2 answers
A.Segmentation of networks into zones and conduits
B.Mandatory cloud-based backup for all control systems
C.Annual penetration testing by an external firm
D.Use of AES-256 encryption for all communications
E.Implementation of security levels (SL) for control systems
AnswersA, E

Defense-in-depth zones and conduits are core concepts.

Why this answer

IEC 62443 requires segmentation of OT networks into zones and conduits to isolate critical control systems from less trusted networks and control communication flows. This is a foundational security requirement because it limits the blast radius of a cyber incident and enforces access controls between different security levels.

Exam trap

The trap here is that candidates often confuse 'security levels' (SL) with 'security requirements'—SL is a target classification (SL 1-4), not a requirement itself, while zone/conduit segmentation is a direct architectural requirement of the standard.

974
Multi-Selectmedium

Which THREE of the following are key components of an effective risk response plan?

Select 3 answers
A.Documented risk response strategy (e.g., avoid, mitigate, transfer, accept)
B.Detailed implementation timeline
C.Assigned ownership and accountability
D.Regulatory impact analysis
E.Resource allocation and budget
AnswersA, C, E

The chosen strategy is a fundamental part of the plan.

Why this answer

A documented risk response strategy (e.g., avoid, mitigate, transfer, accept) is a key component because it formally defines the chosen approach for addressing each identified risk. This documentation ensures that the response aligns with the organization's risk appetite and provides a clear directive for subsequent actions, such as implementing controls or transferring risk via insurance.

Exam trap

The trap here is that candidates confuse project management components (like timelines and detailed schedules) with the strategic, decision-oriented components of a risk response plan, leading them to select 'Detailed implementation timeline' instead of recognizing that ownership, strategy, and budget are the three pillars CRISC emphasizes.

975
MCQmedium

A hospital uses a patient portal that allows patients to access their medical records. The portal has experienced multiple brute-force login attempts. The risk manager wants to identify the most critical risk scenario. Which of the following should be prioritized?

A.Denial of service due to excessive login attempts.
B.Unauthorized access to patient medical records.
C.Insufficient encryption of data in transit.
D.Phishing attacks targeting portal users.
AnswerB

Breach of medical records can lead to legal penalties, identity theft, and harm to patients.

Why this answer

The most critical risk scenario from brute-force login attempts is unauthorized access to patient medical records, as this directly compromises patient privacy and violates HIPAA regulations. While denial of service is a concern, the primary impact of successful brute-force attacks is data breach, not service availability. The risk manager must prioritize the confidentiality of protected health information (PHI) over other operational risks.

Exam trap

The trap here is that candidates may focus on the immediate technical symptom (denial of service) rather than the primary business impact (unauthorized data access), which is the core of risk identification in CRISC.

How to eliminate wrong answers

Option A is wrong because denial of service from excessive login attempts is a temporary availability issue, not the most critical risk; brute-force attacks primarily aim to gain access, not to overwhelm the system, and rate limiting or account lockout policies can mitigate DoS. Option C is wrong because insufficient encryption of data in transit is a separate vulnerability related to data exposure during transmission (e.g., missing TLS), not directly caused by brute-force login attempts; the question focuses on the consequence of brute-force attacks, not encryption weaknesses. Option D is wrong because phishing attacks are a different attack vector involving social engineering to steal credentials, not a direct result of brute-force attempts; the scenario explicitly describes brute-force login attempts, not phishing.

Page 12

Page 13 of 14

Page 14
Certified in Risk and Information Systems Control CRISC CRISC Questions 901–975 | Page 13/14 | Courseiva