Certified in Risk and Information Systems Control CRISC (CRISC) — Questions 976982

982 questions total · 14pages · All types, answers revealed

Page 13

Page 14 of 14

976
MCQhard

A risk assessment identifies that a legacy system has a high risk of failure with no available vendor support. The organization decides to decommission the system and migrate to a modern platform. This is:

A.Risk Avoidance
B.Risk Transfer
C.Risk Mitigation
D.Risk Acceptance
AnswerA

Avoidance is the decision to stop the risky activity.

Why this answer

Decommissioning the legacy system and migrating to a modern platform eliminates the risk entirely by removing the vulnerable asset from the environment. This is the definition of risk avoidance, as the organization chooses not to engage with the risk at all rather than reducing or transferring it. The decision directly addresses the high risk of failure and lack of vendor support by removing the system from operation.

Exam trap

The trap here is that candidates often confuse risk avoidance with risk mitigation, mistakenly thinking that any proactive action (like migrating) is a form of mitigation, whereas avoidance specifically means ceasing the activity that generates the risk.

How to eliminate wrong answers

Option B is wrong because risk transfer would involve shifting the financial impact of failure to a third party (e.g., purchasing cyber insurance or outsourcing to a managed service provider), not removing the system. Option C is wrong because risk mitigation would involve implementing controls to reduce the likelihood or impact of failure (e.g., adding monitoring, applying patches, or isolating the system) while keeping it operational. Option D is wrong because risk acceptance means formally acknowledging the risk and its potential consequences without taking action, which contradicts the active decision to decommission and migrate.

977
MCQeasy

During a control monitoring review, it is discovered that a detective control has a high false positive rate. What is the MOST significant impact of this issue?

A.Loss of confidence in the control by management.
B.Increased risk of missing actual security incidents.
C.Reduced system performance due to alert processing.
D.Increased cost of investigating alerts.
AnswerB

Alert fatigue causes real incidents to be overlooked.

Why this answer

Option D is correct because high false positives can cause alert fatigue, leading to missed real incidents. Option A is a secondary effect. Option B is not directly caused by false positives.

Option C is a possible result but not the most significant.

978
Multi-Selectmedium

An organization is evaluating the business impact of a potential ransomware attack. Which TWO impact categories should be considered as direct financial losses? (Select TWO)

Select 2 answers
A.Incident response and recovery costs
B.Reputation damage and customer trust loss
C.Lost business due to downtime
D.Notification costs to affected parties
E.Regulatory fines
AnswersA, D

These are direct costs of responding to and recovering from the attack.

Why this answer

Direct financial losses include costs directly incurred from the incident, such as incident response and recovery, and notification costs. Lost business and reputation damage are indirect costs.

979
MCQmedium

A control monitoring system generates an alert when transaction volumes exceed 10,000 per hour. Recently, the system has been generating false positives during peak business hours due to legitimate seasonal spikes. Which of the following is the BEST approach to reduce false positives while maintaining effective monitoring?

A.Disable the alerting during peak hours
B.Implement manual review of all alerts during peak hours
C.Apply dynamic thresholding that adjusts based on historical baseline
D.Increase the alert threshold to 15,000 transactions per hour
AnswerC

Dynamic thresholding adapts to regular patterns, reducing false positives.

Why this answer

Dynamic thresholding uses historical baselines to automatically adjust alerting thresholds in response to predictable patterns, such as seasonal spikes. This approach reduces false positives during peak hours while preserving the system's ability to detect anomalous transaction volumes that deviate from the learned baseline, ensuring effective monitoring without manual intervention.

Exam trap

The trap here is that candidates mistakenly choose a static threshold increase (Option D) thinking it solves false positives, but CRISC expects adaptive controls that align with risk-based monitoring principles, not rigid rule changes.

How to eliminate wrong answers

Option A is wrong because disabling alerting during peak hours creates a blind spot, allowing genuine security or operational incidents to go undetected during the busiest period. Option B is wrong because manual review of all alerts during peak hours is not scalable, introduces human latency, and defeats the purpose of automated monitoring; it also increases operational overhead without addressing the root cause of false positives. Option D is wrong because simply raising the threshold to 15,000 transactions per hour is a static, one-size-fits-all fix that would still generate false positives during higher seasonal spikes and could miss true anomalies that fall below the new fixed threshold.

980
MCQmedium

A risk manager is using the FAIR model to quantify cyber risk. Which of the following inputs is MOST directly used to calculate probable financial loss?

A.Annualized loss expectancy (ALE)
B.Loss event frequency and loss magnitude
C.Vulnerability severity scores (CVSS)
D.Number of security incidents per year
AnswerB

These are the primary inputs to calculate probable financial loss.

Why this answer

FAIR calculates loss magnitude using loss event frequency and loss magnitude (monetary impact). The probable financial loss is derived from these factors.

981
MCQhard

Refer to the exhibit. This JSON snippet defines a monitoring policy for S3 bucket access. Which of the following is a potential risk that might NOT be detected by this monitoring policy?

A.Unauthorized GET operations from within the trusted IP range.
B.Unauthorized PUT operations from within the trusted IP range.
C.Unauthorized DELETE operations from any IP.
D.Unauthorized PUT operations from outside the trusted IP range.
AnswerC

DELETE operations are not covered by the policy at all, so they would not be monitored.

Why this answer

Option C is correct. The policy only covers PutObject and GetObject actions. DeleteObject is not monitored, so unauthorized DELETE operations would go undetected.

Option A is not a risk because the policy denies PUT from the trusted IP range? Actually it denies PUT from trusted IP? Wait: the policy denies PutObject from the trusted IP range, but that might be intended. However, PUT from outside trusted range is not covered? The policy only has a rule for trusted IP; outside IPs are not addressed? But the question asks for potential risk not detected. Option C is clearest: DELETE operations are completely unmonitored.

Option B is not a risk because GET is allowed from trusted IP (may be intentional). Option D is not a risk because PUT from trusted IP is denied (if that matches intent). So C is correct.

982
MCQhard

An organization uses a Key Control Indicator (KCI) to measure control effectiveness. The KCI shows a control deficiency rate of 12% over the past quarter, exceeding the target threshold of 5%. Which action is MOST appropriate as an initial response?

A.Report the deficiency to the board for oversight
B.Increase the frequency of control testing to monthly
C.Immediately replace the control with a more robust one
D.Conduct a root cause analysis of the deficiencies
AnswerD

Understanding why the control is failing is essential before implementing corrective actions.

Why this answer

A high deficiency rate indicates the control is not working as intended. The first step is to investigate root causes to determine necessary remediation.

Page 13

Page 14 of 14

Certified in Risk and Information Systems Control CRISC CRISC Questions 976–982 | Page 14/14 | Courseiva