Certified in Risk and Information Systems Control CRISC (CRISC) — Questions 76150

500 questions total · 7pages · All types, answers revealed

Page 1

Page 2 of 7

Page 3
76
Multi-Selectmedium

Which TWO of the following are recognized techniques for identifying IT risks? (Select exactly 2.)

Select 2 answers
A.ROI calculation
B.Brainstorming sessions
C.Benchmarking against industry peers
D.Threat modeling
E.SWOT analysis
AnswersB, D

Brainstorming with stakeholders generates risk ideas.

Why this answer

Brainstorming sessions (B) are a recognized technique for IT risk identification because they leverage the collective expertise of stakeholders to surface potential threats, vulnerabilities, and risk scenarios in a structured or unstructured group setting. This method is specifically cited in ISACA's CRISC Review Manual as a qualitative risk identification approach, often used during the early stages of risk assessment to generate a comprehensive list of risks without requiring quantitative data.

Exam trap

The trap here is that candidates often confuse strategic or financial analysis tools (like SWOT or ROI) with risk identification techniques, but CRISC specifically requires methods that directly uncover threats and vulnerabilities, such as brainstorming and threat modeling, rather than high-level planning or performance metrics.

77
MCQhard

Refer to the exhibit. What is the PRIMARY risk identified from this policy?

A.Unrestricted public read access to confidential data
B.Inadequate logging
C.Lack of encryption for data at rest
D.Missing versioning
AnswerA

The policy grants read access to anyone on the internet.

Why this answer

The policy statement 'All S3 buckets must be private by default' directly addresses the risk of public read access to confidential data. If a bucket is misconfigured as public, anyone on the internet can read its objects without authentication, leading to a data breach. This is the primary risk because the policy explicitly targets preventing unauthorized public exposure.

Exam trap

The trap here is that candidates may confuse the primary risk (public read access to data) with secondary risks like logging or encryption, but the policy's explicit focus on 'private by default' directly targets unauthorized public exposure.

How to eliminate wrong answers

Option B is wrong because inadequate logging is a separate operational risk (e.g., missing CloudTrail or S3 server access logs), not the primary risk from a bucket being public. Option C is wrong because lack of encryption for data at rest (e.g., SSE-S3 vs. SSE-KMS) is a different security control; a private bucket with no encryption still prevents public read access.

Option D is wrong because missing versioning (e.g., S3 Versioning disabled) is a data protection and recovery risk, not directly related to public read access.

78
Multi-Selectmedium

A company has a critical production system with a known vulnerability. Due to the system's age, the vendor no longer supports it. The company decides to implement network segmentation and purchase cyber insurance to cover potential losses. Which TWO risk response options are they applying?

Select 2 answers
A.Accept
B.Transfer
C.Avoid
D.Ignore
E.Mitigate
AnswersB, E

Insurance transfers financial risk.

Why this answer

Options C and D are correct: Mitigate via segmentation and Transfer via insurance. Options A, B, and E are not applied.

79
MCQhard

A multinational corporation is evaluating a new vendor for cloud services. The vendor's data centers are located in a country with weak data protection laws. The corporation's data includes personal information of EU citizens subject to GDPR. What is the MOST appropriate risk response?

A.Avoid by choosing a vendor in a country with strong data protection laws
B.Require the vendor to sign standard contractual clauses and encrypt all data
C.Accept the risk because the vendor offers the best price
D.Purchase cyber insurance to cover potential fines
AnswerB

This mitigates risk to an acceptable level under GDPR.

Why this answer

Option A is correct because GDPR requires adequate safeguards; contractual clauses and data encryption can mitigate the risk. Option B is wrong as insurance does not cover regulatory fines. Option C is wrong as acceptance may lead to non-compliance.

Option D is wrong as avoidance may not be practical if the vendor is the best option.

80
MCQmedium

An organization has implemented a continuous monitoring solution for its critical applications. The IT team reports that the monitoring tool generates a high volume of false positives. What is the BEST course of action?

A.Refine the monitoring rules and thresholds to reduce false positives.
B.Disable the monitoring for applications that generate the most false positives.
C.Increase the size of the monitoring team to handle the alerts.
D.Implement additional detective controls for all false positive alerts.
AnswerA

Tuning the tool reduces noise and enhances monitoring effectiveness.

Why this answer

Option B is correct because reducing false positives improves the efficiency and effectiveness of the monitoring program. Option A is wrong because increasing the number of analysts does not address the root cause. Option C is wrong because ignoring false positives may lead to missing real incidents.

Option D is wrong because removing controls that trigger false positives could increase risk exposure.

81
MCQhard

You are the IT risk manager for a multinational corporation with a hybrid cloud environment. The company uses AWS for its primary infrastructure and maintains an on-premises data center for legacy applications. Recently, the security team detected that a contractor's credentials were used to access an S3 bucket containing personally identifiable information (PII) of European customers. The contractor had been granted access to this bucket six months ago for a data migration project that has since been completed. The access was not revoked. The security team has implemented an automated process to review and revoke access for contractors after project completion, but this process has not been applied retroactively. The company is subject to GDPR. Which of the following is the BEST course of action to address the immediate risk?

A.Conduct a forensic investigation to determine if any data was exfiltrated, then update the incident response plan.
B.Immediately revoke the contractor's access and initiate a review of all contractor accounts to revoke any unnecessary permissions.
C.Manually review access rights for all contractors and revoke those not needed, starting with the most sensitive systems.
D.Update the automated access review process to include all existing contractor accounts and schedule it to run weekly.
AnswerB

This directly mitigates the immediate risk of unauthorized access.

Why this answer

The immediate risk is that the contractor still has active access to an S3 bucket containing PII, which violates GDPR's principle of data minimization and access control (Article 5(1)(f)). Revoking the contractor's access now stops any ongoing unauthorized access, and initiating a review of all contractor accounts addresses the systemic failure to apply the automated process retroactively. This directly mitigates the risk of further data exposure without delay.

Exam trap

The trap here is that candidates may choose a forensic or process-improvement option (A or D) because they seem thorough, but the question asks for the BEST course of action to address the immediate risk, which is to stop the active unauthorized access first before investigating or improving long-term processes.

How to eliminate wrong answers

Option A is wrong because conducting a forensic investigation first delays the immediate action needed to stop ongoing unauthorized access; while forensics may be needed later, the priority is to revoke access to prevent further potential data exfiltration. Option C is wrong because manually reviewing all contractors starting with the most sensitive systems is slower and less efficient than immediately revoking the known risky access and then performing a broader review; it also fails to address the fact that the automated process should be applied retroactively. Option D is wrong because updating the automated process to include existing accounts and scheduling it weekly does not address the immediate risk of the contractor's current active access; it only prevents future occurrences, leaving the current vulnerability open.

82
MCQhard

Based on the exhibit, which risk should be treated first according to the risk rating?

A.R003, because the likelihood is highest
B.R002, because the impact is highest
C.All three should be treated simultaneously
D.R001, because it has the highest risk level
AnswerD

R001 has level 15, the highest.

Why this answer

Option D is correct because risk treatment priority is determined by the risk level, which is a function of both likelihood and impact. In the exhibit, R001 has the highest risk level (e.g., 16), calculated as likelihood × impact, making it the most critical to address first. This aligns with the CRISC principle of prioritizing risks with the highest residual risk rating.

Exam trap

The trap here is that candidates often confuse 'highest likelihood' or 'highest impact' with 'highest risk level,' but CRISC emphasizes that risk level is the product of both factors, not any single component.

How to eliminate wrong answers

Option A is wrong because R003 has the highest likelihood but not the highest risk level; risk treatment prioritizes risk level, not likelihood alone. Option B is wrong because R002 has the highest impact but not the highest risk level; impact alone does not determine priority without considering likelihood. Option C is wrong because simultaneous treatment is inefficient and contradicts the risk management principle of prioritizing based on risk level; resources should be allocated to the highest-rated risk first.

83
MCQhard

After implementing security controls, a risk assessment shows a residual risk of data exfiltration with a probability of 5% and potential loss of $10 million. The organization's risk appetite allows a maximum acceptable risk level of 3% probability for such impact. The cost of further mitigation is $1 million. What is the best risk response?

A.Implement additional controls to reduce probability to 2%
B.Accept the residual risk
C.Purchase cybersecurity insurance
D.Discontinue the process
AnswerA

Further mitigation brings risk within appetite.

Why this answer

Option C is correct because the residual risk exceeds the risk appetite, so additional mitigation is required regardless of cost-benefit. Option A is wrong because the risk is outside appetite. Option B may reduce impact but not probability; appetite is based on probability.

Option D is overly disruptive.

84
MCQmedium

A risk manager is identifying risks for an organization that uses a hybrid cloud environment. The organization stores sensitive data on-premises and in the cloud. Which of the following is the MOST effective method for identifying risks related to data residency and compliance?

A.Conduct a penetration test of the cloud environment
B.Review data flow diagrams and legal requirements for each jurisdiction
C.Perform a configuration review of cloud security settings
D.Review the cloud provider's SOC 2 report
AnswerB

This identifies data movement and regulatory compliance risks.

Why this answer

Reviewing data flow diagrams alongside legal requirements for each jurisdiction is the most effective method because it directly maps where sensitive data resides, transits, and is processed across on-premises and cloud environments, enabling precise identification of residency and compliance gaps. This approach aligns with CRISC's emphasis on risk identification through understanding data lineage and regulatory obligations, rather than relying on post-deployment security tests or generic reports.

Exam trap

The trap here is that candidates confuse security testing (penetration tests, configuration reviews) with compliance risk identification, overlooking that data residency and legal requirements demand a process-oriented review of data flows and jurisdictional rules, not just technical controls.

How to eliminate wrong answers

Option A is wrong because a penetration test assesses security vulnerabilities (e.g., misconfigurations, exploit paths) but does not evaluate data residency or compliance with jurisdictional laws like GDPR or CCPA. Option C is wrong because a configuration review of cloud security settings checks for technical controls (e.g., encryption, IAM policies) but cannot reveal whether data storage locations violate specific residency requirements. Option D is wrong because a SOC 2 report provides assurance on a cloud provider's controls (e.g., security, availability) but does not detail data flow paths or legal compliance for each jurisdiction where data resides.

85
MCQmedium

A company outsourced its payroll processing to a third-party vendor. During the risk assessment, it was found that the vendor's data centers are in a country with weak data protection laws. What is the BEST way to treat this risk?

A.Terminate the contract and bring payroll in-house
B.Purchase cyber insurance to cover potential losses
C.Require contractual clauses and verify compliance
D.Accept the risk because the vendor has never had a breach
AnswerC

Contractual obligations with verification help manage the risk while maintaining operations.

Why this answer

The best way to treat this risk is to implement contractual controls that require the vendor to adhere to data protection standards equivalent to the company's requirements, and to verify compliance through audits or certifications. This directly addresses the root cause—weak local data protection laws—by imposing enforceable obligations on the vendor, rather than transferring, avoiding, or accepting the risk without mitigation. Contractual clauses with compliance verification are a recognized risk mitigation technique in third-party risk management, as they create a legal framework for data protection regardless of the vendor's jurisdiction.

Exam trap

The trap here is that candidates often confuse risk treatment options—mistaking risk transfer (insurance) or risk avoidance (termination) for the most appropriate response, when the question specifically asks for the 'best way to treat' a risk that can be mitigated through contractual and compliance controls.

How to eliminate wrong answers

Option A is wrong because terminating the contract and bringing payroll in-house may not be feasible or cost-effective, and it does not address the risk assessment's finding that the vendor's location has weak data protection laws—it avoids the risk rather than treating it with a balanced, business-aligned response. Option B is wrong because purchasing cyber insurance transfers the financial impact of a breach but does not reduce the likelihood or severity of the data protection risk; it is a risk transfer technique, not a risk treatment that addresses the underlying control weakness. Option D is wrong because accepting the risk based solely on the vendor's historical lack of breaches ignores the inherent risk from weak data protection laws and violates the principle of due care; risk acceptance requires a formal decision with documented justification, not passive reliance on past performance.

86
MCQhard

A multinational organization uses multiple risk management systems that do not integrate with each other. The risk team manually consolidates data into a spreadsheet for reporting. This process is error-prone and time-consuming. Which of the following is the BEST long-term solution to improve risk monitoring and reporting?

A.Standardize the spreadsheet format across all departments
B.Implement a centralized governance, risk, and compliance (GRC) platform with automated data feeds
C.Train risk owners on how to better manually report risks
D.Assign dedicated staff to perform additional manual reviews of the spreadsheet
AnswerB

A GRC platform streamlines data integration and reporting.

Why this answer

Option B is correct because implementing a centralized GRC platform with data feeds from all systems automates integration and reduces errors. Option A is wrong because simply adding more manual reviews increases overhead. Option C is wrong because standardizing spreadsheets still requires manual consolidation.

Option D is wrong because training does not address the system integration issue.

87
MCQmedium

During a qualitative risk assessment, the risk owner rates the likelihood of a threat as 'high' and the impact as 'medium'. According to standard risk matrices, what is the resulting risk level?

A.Low
B.High
C.Medium
D.Critical
AnswerB

High likelihood and medium impact yields high risk.

Why this answer

In a standard 3x3 or 5x5 risk matrix, a 'high' likelihood combined with a 'medium' impact typically maps to a 'high' risk level. This is because the risk level is determined by the intersection of likelihood and impact, and the product or matrix cell for these two ratings falls into the high category, indicating a significant risk that requires management attention.

Exam trap

The trap here is that candidates often confuse 'medium' impact with a 'medium' overall risk level, failing to account for the multiplicative or matrix-based escalation when likelihood is high.

How to eliminate wrong answers

Option A (Low) is wrong because a 'high' likelihood with a 'medium' impact does not produce a low risk level; low risk would require both likelihood and impact to be low. Option C (Medium) is wrong because while 'medium' impact is present, the 'high' likelihood elevates the overall risk above medium in standard matrices. Option D (Critical) is wrong because critical risk typically requires both likelihood and impact to be 'high' or 'very high', not a mix of 'high' and 'medium'.

88
MCQhard

A financial institution uses a quantitative risk assessment for a core banking system. The annual loss expectancy (ALE) is calculated as $500,000 with a single loss expectancy (SLE) of $2,500,000. What is the annualized rate of occurrence (ARO)?

A.5.0
B.2.0
C.0.5
D.0.2
AnswerD

ARO = ALE / SLE = 0.2.

Why this answer

The annualized rate of occurrence (ARO) is derived from the formula ALE = SLE × ARO. Given ALE = $500,000 and SLE = $2,500,000, solving for ARO yields $500,000 / $2,500,000 = 0.2. This means the core banking system is expected to experience a loss event once every five years on average.

Exam trap

The trap here is that candidates often mistakenly invert the formula, dividing SLE by ALE to get 5.0, or confuse ARO with a percentage, leading to 0.5, instead of correctly applying ALE = SLE × ARO to solve for ARO.

How to eliminate wrong answers

Option A is wrong because 5.0 would result from incorrectly dividing SLE by ALE (2,500,000 / 500,000), which reverses the formula. Option B is wrong because 2.0 would come from dividing ALE by a misapplied factor or confusing ARO with a multiplier. Option C is wrong because 0.5 would arise from misplacing the decimal or assuming a 50% chance per year, which does not match the calculated ratio.

89
MCQmedium

Refer to the exhibit. The SIEM alert triggered, but the security team did not respond because they were investigating another incident. What is the BEST way to prevent such monitoring gaps in the future?

A.Implement a ticketing system to track alert handling.
B.Hire additional security analysts to handle peak loads.
C.Increase the threshold to reduce false positives.
D.Configure automatic escalation to a secondary response team if the alert is not acknowledged within a set time.
AnswerD

Ensures alerts are not ignored.

Why this answer

Option D is correct because it directly addresses the monitoring gap caused by analyst unavailability. By configuring automatic escalation to a secondary response team if an alert is not acknowledged within a set time, the organization ensures that no alert is left unattended even when the primary team is occupied. This is a standard operational resilience control in SIEM workflows, often implemented via playbook automation or SOAR integration.

Exam trap

The trap here is that candidates often choose 'Hire additional security analysts' (Option B) as a capacity solution, but the question specifically tests the concept of operational resilience through automated failover, not just staffing levels.

How to eliminate wrong answers

Option A is wrong because a ticketing system tracks alert handling but does not automatically reassign or escalate unacknowledged alerts; it only logs the event, leaving the gap unaddressed. Option B is wrong because hiring additional analysts increases capacity but does not guarantee coverage during peak loads or when the team is already engaged; it is a scaling solution, not a failover mechanism. Option C is wrong because increasing the threshold to reduce false positives may suppress legitimate alerts, increasing the risk of missing real incidents; it does not solve the problem of unacknowledged alerts.

90
MCQhard

Your organization is undergoing a merger and acquisition. The IT risk assessment team is tasked with evaluating the target company's IT environment. During the assessment, you discover that the target company uses a legacy ERP system that is no longer supported by the vendor. They have no disaster recovery plan for this system, and it contains financial data critical to the merged entity. The integration timeline is aggressive, and replacing the system would delay the merger by 18 months. The executive team is reluctant to delay. What is the BEST risk treatment option?

A.Avoid the risk by excluding the legacy system from the merger and migrating data to a new system.
B.Accept the risk because the system has been running for years without issue.
C.Mitigate by developing a disaster recovery plan and implementing compensating controls such as regular backups and manual procedures.
D.Transfer the risk to the target company's previous owners.
AnswerC

Addresses key weaknesses without delaying merger.

Why this answer

Option C is correct because the legacy ERP system contains critical financial data and cannot be replaced without an 18-month delay, making risk mitigation the most practical approach. Developing a disaster recovery plan and implementing compensating controls (e.g., regular backups, manual procedures) reduces the likelihood and impact of a system failure while allowing the merger to proceed on schedule. This aligns with the CRISC principle of treating risk by reducing residual risk to an acceptable level without blocking business objectives.

Exam trap

The trap here is that candidates may choose Option B (accept the risk) because the system has been stable historically, but CRISC expects you to recognize that unsupported systems with no DR plan represent an unmanaged risk that requires active mitigation, not passive acceptance.

How to eliminate wrong answers

Option A is wrong because excluding the legacy system and migrating data to a new system would effectively replace it, causing the same 18-month delay the executive team wants to avoid; this is a risk avoidance strategy that is not feasible given the aggressive timeline. Option B is wrong because accepting the risk based solely on historical uptime ignores the fact that the system is unsupported, has no disaster recovery plan, and contains critical financial data—past performance does not guarantee future reliability, especially without vendor patches or support. Option D is wrong because transferring risk to the target company's previous owners is impractical post-acquisition; contractual indemnification may exist, but it does not address the ongoing operational risk of the unsupported system within the merged entity, and such transfer is typically limited to legal liability, not technical risk.

91
MCQhard

A company has a low risk appetite but high risk tolerance. Which of the following scenarios is consistent with this situation?

A.The company avoid controls and accepts high risk
B.The company invests heavily in cybersecurity controls but accepts some residual risk
C.The company has aggressive growth targets and accepts any IT risk
D.The company invests minimally in controls and has low residual risk
AnswerB

Low appetite drives control investment; high tolerance allows acceptance of remaining risk within bounds.

Why this answer

A low risk appetite means the company is unwilling to accept high levels of risk, while high risk tolerance indicates it can absorb the financial or operational impact of residual risk that remains after controls are applied. Investing heavily in cybersecurity controls reduces inherent risk to a low residual level, aligning with the low appetite, and the acceptance of some residual risk is consistent with the high tolerance. This scenario reflects a balanced approach where controls are prioritized to meet appetite, and tolerance allows for manageable leftover risk.

Exam trap

The trap here is confusing risk appetite (the willingness to take risk) with risk tolerance (the capacity to withstand risk), leading candidates to incorrectly associate high tolerance with accepting high risk, when in fact high tolerance allows for acceptance of residual risk after controls are applied.

How to eliminate wrong answers

Option A is wrong because avoiding controls and accepting high risk directly contradicts a low risk appetite, which demands risk reduction, not acceptance of high risk. Option C is wrong because aggressive growth targets and accepting any IT risk ignore the low risk appetite, which would reject unmitigated high-risk initiatives. Option D is wrong because investing minimally in controls would leave high inherent risk unaddressed, resulting in residual risk that exceeds a low appetite, and low residual risk cannot be achieved without adequate controls.

92
MCQeasy

A risk practitioner discovers that a critical control deficiency has been open for six months beyond the agreed remediation date. What is the MOST appropriate reporting action?

A.Report the overdue deficiency to senior management for escalation.
B.Notify the control owner and request an updated remediation plan.
C.Accept the delay and extend the remediation date by six months.
D.Update the risk register to reflect the increased residual risk and close out the deficiency.
AnswerA

Timely escalation is key for unresolved critical issues.

Why this answer

Option C is correct because overdue remediation should be escalated to senior management to ensure attention and resource allocation. Option A is wrong because only escalating to the control owner may not drive action. Option B is wrong because adjusting the date without addressing the delay is inappropriate.

Option D is wrong because updating the risk register is a secondary step.

93
MCQeasy

A risk manager notices that a key risk indicator (KRI) for system downtime has exceeded the threshold for two consecutive months. What is the MOST appropriate immediate action?

A.Revise the KRI threshold to a higher value.
B.Archive the current KRI and define a new one.
C.Update the risk register with the new KRI value.
D.Escalate to the risk owner for investigation.
AnswerD

The risk owner should assess the situation and determine corrective actions.

Why this answer

Option C is correct because exceeding the KRI threshold indicates a potential risk increase, and the risk manager should escalate to the risk owner for investigation. Option A is wrong because updating the risk register alone does not address the immediate concern. Option B is wrong because revising the KRI threshold without understanding the cause may mask the issue.

Option D is wrong because the KRI is already defined and monitored; changing it may not be appropriate.

94
MCQeasy

A company implements a new automated control to monitor user access rights. The control sends a daily report of any users with excessive privileges. What is the PRIMARY benefit of this control?

A.Enables timely remediation of access violations
B.Reduces the number of user access reviews
C.Eliminates the need for manual checks
D.Provides real-time alerts for critical changes
AnswerA

Daily reports allow prompt action to reduce risk.

Why this answer

Option D is correct because the control enables timely identification and remediation of access violations. Option A is not necessarily true as reviews may still be needed. Option B is false because manual remediation is still required.

Option C is not real-time since reports are daily.

95
MCQeasy

Which of the following is the BEST indicator that an organization's IT risk assessment process is effective?

A.The risk register contains a large number of risks
B.Risk appetite statements are clearly defined
C.Risk assessments are performed annually
D.Risk treatment plans are implemented within agreed timelines
AnswerD

Implementation shows action.

Why this answer

The effectiveness of an IT risk assessment process is ultimately measured by whether identified risks are actually treated within agreed timelines. Option D directly demonstrates that the organization moves from risk identification to remediation, closing the risk management loop. Without timely implementation of treatment plans, even the most thorough risk assessments provide no reduction in actual risk exposure.

Exam trap

The trap here is that candidates confuse inputs or prerequisites (like risk appetite or scheduled assessments) with the output-based evidence of effectiveness, which is the actual closure of risk treatment actions within agreed timelines.

How to eliminate wrong answers

Option A is wrong because a large number of risks in the register does not indicate effectiveness; it may indicate poor risk aggregation, excessive risk tolerance, or failure to treat risks. Option B is wrong because clearly defined risk appetite statements are a prerequisite for effective risk assessment, not a measure of the assessment process itself. Option C is wrong because performing risk assessments annually only indicates compliance with a schedule, not that the assessments are accurate, actionable, or lead to risk reduction.

96
MCQmedium

A healthcare organization is implementing a new electronic health records (EHR) system. During the risk assessment, the risk practitioner discovers that the system's access control mechanism allows any authenticated user to view patient records without additional authorization checks. This violates the principle of least privilege and could lead to unauthorized disclosure of protected health information (PHI). The IT team proposes implementing role-based access control (RBAC), but it will require significant changes to the system configuration and user training. The project manager is concerned about delays to the go-live date. The organization has a moderate risk appetite but must comply with HIPAA regulations. Which of the following actions should the risk practitioner recommend FIRST?

A.Accept the risk because the likelihood of unauthorized access is low.
B.Implement a temporary compensating control, such as logging and monitoring all accesses to patient records, and proceed with go-live while RBAC is developed.
C.Proceed with the go-live as scheduled and plan to implement RBAC in a future upgrade.
D.Delay the go-live until RBAC is fully implemented to ensure compliance.
AnswerB

Compensating controls reduce risk while avoiding delays.

Why this answer

Option B is correct because it balances the immediate need to go live with the critical requirement to protect PHI. Logging and monitoring all accesses acts as a detective compensating control, providing visibility into unauthorized disclosures while the more robust RBAC preventive control is developed. This approach aligns with the organization's moderate risk appetite and HIPAA compliance obligations by not accepting the risk outright, but also not delaying the project unnecessarily.

Exam trap

The trap here is that candidates often choose 'accept the risk' (A) or 'delay go-live' (D) because they focus on either risk appetite or compliance in isolation, failing to recognize that compensating controls can bridge the gap between operational urgency and regulatory requirements.

How to eliminate wrong answers

Option A is wrong because accepting the risk of unauthorized PHI disclosure violates HIPAA's requirement for appropriate administrative, physical, and technical safeguards, and the likelihood of unauthorized access is not low given that any authenticated user can view records. Option C is wrong because proceeding with go-live without any compensating control and planning RBAC for a future upgrade leaves a known high-risk vulnerability unaddressed, which is not acceptable under HIPAA's 'addressable' implementation specifications. Option D is wrong because delaying go-live until RBAC is fully implemented, while technically compliant, is overly conservative for an organization with a moderate risk appetite and ignores the possibility of using compensating controls to mitigate the risk in the interim.

97
MCQmedium

An organization's risk register contains a risk with a very high impact but very low likelihood. The risk response strategy should be:

A.Mitigate
B.Avoid
C.Transfer
D.Accept
AnswerD

Acceptance is common for low-likelihood, high-impact risks.

Why this answer

When a risk has very high impact but very low likelihood, the most cost-effective response is often acceptance, because the probability of occurrence is so low that the cost of mitigation, avoidance, or transfer would exceed the expected benefit. Accepting the risk means the organization formally acknowledges it and monitors it, but does not allocate resources to reduce or transfer it. This aligns with the principle of risk appetite and cost-benefit analysis in IT risk management.

Exam trap

The trap here is that candidates mistakenly choose 'Mitigate' or 'Transfer' for any high-impact risk, failing to weigh the low likelihood against the cost of the response, which is a core concept in risk treatment decisions.

How to eliminate wrong answers

Option A is wrong because mitigation involves reducing the likelihood or impact through controls, which would incur ongoing costs that are not justified for a risk with very low likelihood. Option B is wrong because avoidance means eliminating the risk entirely by discontinuing the activity, which is an extreme measure that would likely disrupt business operations unnecessarily for a low-probability event. Option C is wrong because transfer (e.g., insurance or outsourcing) typically involves premium payments or contractual costs that are not warranted when the likelihood of the risk materializing is negligible.

98
MCQeasy

An organization is implementing a new identity and access management (IAM) system. The risk manager is tasked with identifying risks associated with the migration from legacy authentication to single sign-on (SSO). Which of the following is the GREATEST risk during this migration?

A.Users may reuse strong passwords across multiple systems.
B.Users may experience increased convenience, leading to reduced security awareness.
C.Legacy authentication accounts may remain active, creating orphan accounts.
D.Help desk call volumes may increase due to SSO authentication failures.
AnswerC

Orphan accounts are a high-risk security issue if not disabled.

Why this answer

Option D is correct because legacy accounts that are not disabled after migration become unmanaged orphan accounts, posing a significant security risk. Option A is wrong because increased user convenience is a benefit, not a risk. Option B is wrong while password reuse is a risk, it is less severe than orphan accounts.

Option C is wrong because SSO typically reduces help desk calls for password resets.

99
Multi-Selecthard

Which THREE of the following are typical components of a risk scenario?

Select 3 answers
A.Impact
B.Threat source
C.Probability
D.Vulnerability
E.Control
AnswersA, B, D

Describes the consequence of the event.

Why this answer

Impact is a typical component of a risk scenario because it defines the magnitude of harm to assets or business objectives if a threat exploits a vulnerability. In IT risk assessment, impact is quantified in terms of financial loss, reputational damage, or operational disruption, and it directly influences risk level calculations. Without impact, a risk scenario would lack the consequence necessary for prioritization and decision-making.

Exam trap

The trap here is that candidates confuse the components of a risk scenario (threat source, vulnerability, impact) with the elements of risk analysis (probability, control effectiveness), leading them to incorrectly select Probability or Control as scenario components.

100
MCQhard

A large financial services firm recently deployed a new security information and event management (SIEM) system to monitor thousands of servers, network devices, and applications. The system is generating over 1,000 alerts per hour, of which 80% are false positives. The security operations center (SOC) team is overwhelmed and has started ignoring all but the most critical alerts. As a result, a real attack recently went undetected for 48 hours. The risk manager is asked to recommend improvements. The SOC team has 12 analysts working in shifts. The SIEM is properly configured but the correlation rules are broad and noisy. The firm cannot add more staff due to budget freeze. What should the risk manager prioritize?

A.Disable all low-priority alerts to reduce volume immediately.
B.Implement a machine learning algorithm to automatically classify alerts.
C.Tune the alerting rules and adopt risk-based prioritization to filter out known false positives.
D.Request budget to hire five additional SOC analysts.
AnswerC

Reduces false positives while retaining meaningful alerts; improves SOC efficiency.

Why this answer

Tuning alerting rules with risk-based prioritization reduces noise and ensures the SOC focuses on true positives. Disabling low-priority alerts (A) may cause missing important events; hiring (C) is not feasible; machine learning (D) is complex and still needs tuning.

101
MCQhard

During a risk assessment, an organization identifies that its remote workforce uses personal devices for work. The risk manager is concerned about data leakage. The organization has a risk appetite that is 'moderate' and wants to treat the risk. Which of the following is the MOST effective risk treatment option?

A.Implement a VPN for remote access
B.Require full disk encryption on all personal devices
C.Implement a Mobile Device Management (MDM) policy with containerization
D.Ban the use of personal devices for work
AnswerC

MDM with containerization provides a secure work environment on personal devices.

Why this answer

Option C is the most effective because MDM with containerization creates a separate, encrypted work profile on the personal device, isolating corporate data from personal apps and data. This directly addresses data leakage by enforcing security policies (e.g., remote wipe of the work container only) without requiring full control over the entire device, aligning with a 'moderate' risk appetite that seeks a balance between security and usability.

Exam trap

The trap here is that candidates often confuse 'encryption' (Option B) with 'data leakage prevention'—full disk encryption protects data at rest but does not control data flow between apps or enable selective wipe, making it less effective than containerization for a moderate risk appetite where usability and privacy are key considerations.

How to eliminate wrong answers

Option A is wrong because a VPN only encrypts data in transit between the device and the corporate network; it does not protect data at rest on the device, so if the device is lost or compromised, stored corporate data remains vulnerable to leakage. Option B is wrong because requiring full disk encryption on all personal devices is overly invasive for a moderate risk appetite—it encrypts the entire device, including personal data, and does not provide granular control over corporate data (e.g., selective wipe), potentially violating user privacy and causing resistance. Option D is wrong because banning personal devices outright is a risk avoidance strategy, not a treatment; it may reduce productivity and employee satisfaction, and it fails to address the organization's need to support a remote workforce while managing risk at an acceptable level.

102
Multi-Selecteasy

Which TWO of the following are key elements that should be included in an IT risk assessment report?

Select 2 answers
A.A list of identified risks and their ratings
B.Recommendations for risk treatment
C.Copies of vendor contracts
D.Network topology diagrams
E.Detailed financial budgets of the IT department
AnswersA, B

Risk inventory is fundamental.

Why this answer

Option A is correct because the IT risk assessment report must document all identified risks along with their inherent and residual risk ratings (typically using a qualitative or quantitative scale such as 1-5 for likelihood and impact). This provides a clear, prioritized view of the risk landscape, enabling stakeholders to understand which risks require immediate attention. Without this list and ratings, the report lacks the foundational data needed for decision-making.

Exam trap

The trap here is that candidates confuse supporting documentation (like vendor contracts or network diagrams) with the core required elements of a risk assessment report, which must focus on risk identification, ratings, and treatment recommendations.

103
MCQmedium

A large healthcare organization is implementing a new electronic health record (EHR) system. During the risk identification process, the risk team discovers that the EHR vendor has a history of minor security incidents but has always resolved them quickly. The vendor’s data center is located in a region prone to earthquakes. Additionally, the EHR system will integrate with several legacy systems that have known vulnerabilities. The project sponsor is keen to proceed and believes the vendor is reputable. The risk team needs to ensure all relevant risks are identified and documented. Which of the following should be the PRIORITY for the risk team?

A.Conduct a detailed assessment of the vendor's business continuity and disaster recovery plans, especially regarding natural disasters.
B.Request the vendor to patch the legacy system vulnerabilities before integration.
C.Focus on contractual indemnification clauses to transfer risk.
D.Accept the residual risk after implementing basic controls.
AnswerA

BCP/DR assessment addresses the earthquake risk directly.

Why this answer

The vendor's data center is in an earthquake-prone region, and the vendor has a history of minor security incidents. This creates a significant risk of service disruption that could impact patient safety and data availability. Prioritizing a detailed assessment of the vendor's business continuity and disaster recovery (BC/DR) plans ensures that the organization understands the vendor's ability to maintain operations and recover data in a disaster scenario, which is a fundamental risk identification activity before any mitigation or acceptance decisions.

Exam trap

The trap here is that candidates may focus on the legacy system vulnerabilities (Option B) because they are a known technical issue, but the question specifically prioritizes the vendor's data center risk, which is a higher-level business continuity concern that could render all other controls irrelevant if the vendor's site goes offline.

How to eliminate wrong answers

Option B is wrong because the legacy system vulnerabilities are owned by the healthcare organization, not the vendor; requesting the vendor to patch them is outside the vendor's responsibility and does not address the immediate risk of the vendor's data center location. Option C is wrong because focusing on contractual indemnification clauses is a risk transfer strategy that occurs after risks are fully identified and assessed, not a priority during the risk identification phase. Option D is wrong because accepting residual risk after implementing basic controls is premature; the risk team must first identify and analyze all relevant risks, including the vendor's BC/DR capabilities, before any acceptance decision can be made.

104
MCQmedium

A financial institution uses a third-party cloud service for data analytics. The service has access to non-public personal information (NPI). During a risk assessment, the risk manager discovers that the cloud provider uses subprocessors without notifying the institution. The contract does not require notification of subprocessor changes. What should the risk manager do FIRST?

A.Notify the vendor of the contract breach and request a list of all subprocessors and their compliance certifications.
B.Report the incident to the data protection authority as a breach of contract.
C.Accept the risk since the vendor remains SOC 2 Type II certified.
D.Terminate the contract immediately to mitigate the risk of unauthorized data access.
AnswerA

First, understand the risk by obtaining information on subprocessors.

Why this answer

Option A is correct because immediate termination may disrupt operations; the first step should be to notify the vendor of the breach and request a list of subprocessors to assess risk. Option B is wrong because immediately terminating the contract could cause significant business disruption. Option C is wrong because the risk manager should first gather information.

Option D is wrong because accepting risk without understanding the subprocessors' controls is not prudent.

105
MCQhard

A financial institution is integrating a new cloud-based analytics platform that will process sensitive customer data. The project team is conducting risk identification. Which technique would be MOST effective for identifying risks related to the integration of this platform with existing on-premises systems?

A.Vulnerability scanning of the cloud platform's API endpoints.
B.Brainstorming sessions with the project team.
C.Threat modeling of the integration architecture.
D.SWOT analysis to assess strengths, weaknesses, opportunities, and threats.
AnswerC

Threat modeling systematically identifies threats to the integration points, such as data flow, trust boundaries, and authentication.

Why this answer

Threat modeling of the integration architecture is the most effective technique because it systematically identifies potential security threats, attack vectors, and vulnerabilities specific to the data flows, trust boundaries, and API interactions between the cloud-based analytics platform and existing on-premises systems. Unlike generic methods, threat modeling (e.g., STRIDE or PASTA) focuses on the unique integration points, such as authentication handshakes, data-in-transit encryption (TLS 1.2/1.3), and session management, which are critical for protecting sensitive customer data during integration.

Exam trap

The trap here is that candidates often choose vulnerability scanning (Option A) because they mistakenly believe that scanning API endpoints is sufficient for integration risk identification, but vulnerability scanning only finds known flaws in the API code, not architectural threats like insecure data flows or trust boundary violations that threat modeling uniquely addresses.

How to eliminate wrong answers

Option A is wrong because vulnerability scanning of the cloud platform's API endpoints is a reactive, point-in-time assessment that only identifies known software vulnerabilities (e.g., CVEs) in the API implementation, but it does not proactively analyze the overall integration architecture, data flows, or trust boundaries between cloud and on-premises systems. Option B is wrong because brainstorming sessions with the project team, while useful for generating ideas, lack a structured methodology and can miss subtle, architecture-specific threats like privilege escalation via misconfigured cross-origin resource sharing (CORS) or insecure direct object references (IDOR) in the integration layer. Option D is wrong because SWOT analysis is a high-level strategic planning tool that assesses strengths, weaknesses, opportunities, and threats at a business or project level, but it does not provide the technical depth needed to identify specific integration risks such as API gateway misconfigurations, token replay attacks, or data leakage through logging.

106
MCQmedium

During a risk assessment for a cloud migration project, the IT risk manager identifies that the organization lacks visibility into the cloud provider's security controls. Which approach should the risk manager recommend to address this risk?

A.Obtain a third-party audit report (e.g., SOC 2 Type II).
B.Request the provider to self-attest their controls.
C.Accept the risk based on the provider's reputation.
D.Conduct a penetration test on the provider's infrastructure.
AnswerA

Provides independent assurance of control effectiveness.

Why this answer

A SOC 2 Type II report provides an independent, third-party assessment of a cloud provider's controls over a period of time, directly addressing the lack of visibility by offering verifiable evidence of control effectiveness. This is the standard approach for gaining assurance over a provider's security posture without relying on internal access or self-reporting.

Exam trap

The trap here is that candidates may choose penetration testing (D) as a direct technical solution, not realizing that cloud providers typically restrict such testing and that a SOC 2 report is the established, non-invasive method for gaining visibility into a provider's controls.

How to eliminate wrong answers

Option B is wrong because self-attestation lacks independent verification and is inherently biased, providing no reliable assurance to the risk manager. Option C is wrong because accepting risk based solely on reputation ignores the specific control environment and does not provide any evidence or visibility into actual security practices. Option D is wrong because conducting a penetration test on the provider's infrastructure is typically prohibited by the provider's terms of service and would not be feasible or authorized without a contractual agreement, nor does it replace the need for ongoing control assurance.

107
MCQeasy

During a control self-assessment, an operational manager reports that a manual review control is performed quarterly instead of monthly as documented. What should the risk practitioner do?

A.Accept the change without documentation since risk level is unchanged
B.Escalate the deviation to senior management for disciplinary action
C.Update the control frequency in the risk register and assess residual risk
D.Require the manager to resume monthly reviews immediately
AnswerC

Accurate documentation and risk assessment are key.

Why this answer

The correct answer is D. The practitioner should update the control documentation to reflect the actual frequency and assess if the quarterly review still provides adequate risk mitigation. Options A and B are punitive and not collaborative.

Option C assumes risk level unchanged without analysis.

108
MCQeasy

A risk assessment reveals that a data center is located in a flood-prone area. The organization decides to build a secondary data center in a different region and replicate critical data between both sites. This is an example of which risk response?

A.Risk acceptance
B.Risk mitigation
C.Risk avoidance
D.Risk transfer
AnswerB

Mitigation reduces risk through controls like replication.

Why this answer

Option C is correct because mitigation involves reducing risk through controls like redundancy. Option A is wrong because avoidance would mean moving the primary data center. Option B is wrong because transfer would involve insurance.

Option D is wrong because acceptance would mean doing nothing.

109
MCQhard

A company uses a dashboard to monitor KRIs. One KRI shows a warning level, but the data is two months old. What is the primary concern?

A.The KRI is not relevant.
B.The dashboard is not user-friendly.
C.The threshold is too low.
D.The monitoring is not timely.
AnswerD

Outdated data prevents timely identification and response to risk changes.

Why this answer

For monitoring to be effective, data must be timely. Old data undermines the ability to respond promptly. Option B is correct.

Options A, C, and D are secondary or irrelevant.

110
MCQhard

A multinational organization is assessing the risk of a new cloud service that stores data across multiple geographic regions. The service provider offers standard contractual terms and does not commit to specific data residency requirements. What is the primary risk that should be evaluated?

A.Service availability and uptime commitments.
B.Non-compliance with data protection regulations due to data location uncertainty.
C.Unauthorized access to data by cloud provider employees.
D.Inadequate encryption of data at rest and in transit.
AnswerB

Without data residency commitments, the organization may violate laws requiring data to stay within certain jurisdictions.

Why this answer

Compliance with data protection regulations (Option D) is the primary risk because data residency impacts legal obligations, especially under GDPR and similar laws.

111
MCQhard

Refer to the exhibit. What risk is introduced by this IAM policy?

A.Misconfigured encryption
B.Lack of logging
C.Excessive permissions
D.Weak authentication
AnswerC

The policy grants full access to all resources, creating a risk of privilege abuse.

Why this answer

The IAM policy grants `s3:*` actions on all S3 resources (`"Resource": "*"`), which allows any user or service assuming this role to perform any S3 operation, including deleting buckets, modifying permissions, or accessing all objects. This violates the principle of least privilege and introduces the risk of excessive permissions, as the policy does not restrict actions or resources to only what is necessary for the intended function.

Exam trap

The trap here is that candidates may focus on the absence of encryption or logging keywords in the policy, but the core risk is the overly broad action and resource scope, which is a classic excessive permissions vulnerability.

How to eliminate wrong answers

Option A is wrong because the policy does not reference encryption settings, KMS keys, or any condition that would misconfigure encryption; the risk is about authorization scope, not data protection configuration. Option B is wrong because the policy does not disable or omit logging settings; CloudTrail or S3 server access logging are independent of IAM policy statements and are not addressed here. Option D is wrong because the policy does not define authentication mechanisms, password policies, or MFA requirements; it only specifies allowed actions and resources after authentication has already occurred.

112
MCQmedium

After a security incident, a company implements a new control and begins monitoring its effectiveness. Which of the following metrics would BEST indicate that the control is achieving its objective?

A.Decrease in the number of successful attacks.
B.Reduction in the number of vulnerabilities.
C.Number of incidents reported.
D.Time to detect incidents.
AnswerA

Directly reflects the control's ability to prevent or mitigate attacks.

Why this answer

Option D is correct because the control's objective is to prevent or mitigate incidents, so a decrease in successful attacks directly measures success. Option A is wrong because incident reports include both successful and attempted. Option B is wrong because time to detect is a response metric, not control effectiveness.

Option C is wrong because vulnerability count is a separate risk factor.

113
MCQmedium

A bank's fraud detection system generates an alert for a transaction, but subsequent investigation finds it false. What should be done?

A.Document the false positive for trend analysis.
B.Report to the board.
C.Ignore future similar alerts.
D.Reduce the sensitivity of the detection system.
AnswerA

Tracking false positives helps identify patterns and improve the detection logic.

Why this answer

False positives should be documented for trend analysis to improve detection accuracy. Option B is correct. Option A reduces sensitivity blindly.

Option C ignores potential patterns. Option D is not appropriate for a single false positive.

114
MCQmedium

An organization wants to identify risks related to third-party vendors. Which approach best supports continuous risk identification?

A.Contractual clauses requiring self-assessment
B.On-site audits every two years
C.Automated monitoring of vendor security controls via a third-party risk platform
D.Annual vendor risk assessments
AnswerC

Automated monitoring provides continuous insight into vendor security posture.

Why this answer

Automated monitoring via a third-party risk platform enables continuous, real-time visibility into vendor security controls, such as firewall rule changes, vulnerability scan results, and compliance posture. This approach aligns with the CRISC principle of ongoing risk identification, as it detects changes in risk exposure between formal assessment cycles without relying on periodic snapshots.

Exam trap

The trap here is that candidates often choose periodic assessments (A, B, or D) because they seem thorough, but CRISC emphasizes continuous risk identification over point-in-time reviews, and automated monitoring is the only option that provides real-time, ongoing visibility.

How to eliminate wrong answers

Option A is wrong because contractual clauses requiring self-assessment rely on vendor-reported data, which may be outdated, incomplete, or biased, and do not provide continuous or independent verification. Option B is wrong because on-site audits every two years are infrequent, static snapshots that miss interim changes in vendor environments, such as new vulnerabilities or configuration drift. Option D is wrong because annual vendor risk assessments are periodic and cannot capture risks that emerge between assessments, such as zero-day exploits or rapid cloud infrastructure changes.

115
MCQeasy

Refer to the exhibit. A risk practitioner is reviewing the access control list for a critical server. The ACL is applied inbound on the interface connecting to the internet. Which of the following is the MOST significant risk?

A.The ACL permits all HTTPS and DNS traffic from the subnet, increasing attack surface
B.The ACL has no logging enabled
C.The ACL is missing a permit statement for HTTP
D.The ACL blocks all traffic from the internet
AnswerA

Broad permits may allow unauthorized traffic.

Why this answer

Option A is correct because permitting all HTTPS (TCP/443) and DNS (UDP/53) traffic from any source on the internet to the critical server unnecessarily exposes the server to potential exploitation of vulnerabilities in the web server software (e.g., Apache, Nginx) and DNS resolver services. This broad permit statement increases the attack surface significantly, as HTTPS and DNS are common vectors for attacks such as SQL injection, cross-site scripting, and DNS amplification or tunneling. The risk is heightened because the ACL is applied inbound on the internet-facing interface, meaning all external traffic matching these protocols is allowed without restriction, bypassing any stateful inspection or application-layer filtering.

Exam trap

The trap here is that candidates often focus on missing logging (option B) or missing HTTP (option C) as the most critical issue, but the real risk is the overly permissive ACL that allows all HTTPS and DNS traffic from any source, which dramatically increases the attack surface and is a classic misconfiguration in ACL design.

How to eliminate wrong answers

Option B is wrong because the absence of logging is a monitoring deficiency, not the most significant risk; logging is important for forensic analysis but does not directly increase the attack surface or allow malicious traffic. Option C is wrong because HTTP (TCP/80) is not explicitly permitted, but this is a lesser risk compared to allowing all HTTPS and DNS traffic, as HTTP traffic would be blocked by default (implicit deny) and does not expose the server to the same volume of potential attacks. Option D is wrong because blocking all traffic from the internet would actually reduce risk by preventing external access entirely, though it may break legitimate business functionality; however, the question asks for the most significant risk, and blocking all traffic is a security measure, not a risk.

116
MCQmedium

During a review of third-party vendor risks, the risk team identifies that a cloud service provider's data center is located in a country with unstable political conditions. What should the risk practitioner do FIRST?

A.Document the risk and assess its potential impact.
B.Accept the risk based on the vendor's SLA.
C.Request the vendor to move data to another region.
D.Terminate the contract immediately.
AnswerA

Proper risk management starts with documentation and assessment.

Why this answer

The risk practitioner's first step should be to document the identified risk and assess its potential impact on the organization. This aligns with the CRISC framework's emphasis on risk identification and assessment before any treatment decisions are made. Without a thorough impact assessment, the organization cannot determine whether the risk is acceptable, requires mitigation, or warrants contract termination.

Exam trap

The trap here is that candidates may jump to a risk treatment action (accept, mitigate, or terminate) without first completing the foundational step of documenting and assessing the risk.

How to eliminate wrong answers

Option B is wrong because accepting a risk based solely on a vendor's SLA is premature without first assessing the actual impact and likelihood of the political instability affecting the data center's operations. Option C is wrong because requesting the vendor to move data to another region is a risk mitigation action that should only be considered after the risk has been documented and assessed. Option D is wrong because terminating the contract immediately is an extreme response that bypasses the necessary risk assessment and evaluation of alternative treatments.

117
MCQmedium

Refer to the exhibit. An organization uses this firewall access list. What is the MOST significant risk associated with this configuration?

A.The final rule denies all traffic
B.HTTPS traffic is permitted to any destination
C.SSH access is only allowed from internal network
D.HTTP traffic is permitted from any source to any destination
AnswerD

Unrestricted HTTP exposure is risky.

Why this answer

Option D is correct because the rule permit tcp any any eq 80 allows unrestricted HTTP access from any source, increasing exposure to web attacks. Option A is wrong because SSH is restricted to internal network. Option B is wrong because HTTPS is needed for web traffic.

Option C is wrong because the deny all rule is proper.

118
MCQmedium

A company operates a legacy system for which the vendor no longer provides security patches. What is the most critical risk to identify regarding this system?

A.Unpatched vulnerabilities
B.Incompatibility with new systems
C.Lack of vendor support
D.Skill shortage for maintenance
AnswerA

Without patches, all known vulnerabilities remain exploitable, posing a high risk.

Why this answer

Unpatched vulnerabilities are the most critical risk because the legacy system is exposed to known exploits that the vendor no longer addresses. Without security patches, attackers can leverage published CVEs to compromise the system, leading to data breaches or system takeover. This directly threatens the confidentiality, integrity, and availability of the system and its data.

Exam trap

The trap here is that candidates confuse the root cause (lack of vendor support) with the actual risk (unpatched vulnerabilities), leading them to select 'Lack of vendor support' instead of identifying the direct security exposure.

How to eliminate wrong answers

Option B is wrong because incompatibility with new systems is an operational or integration risk, not a security risk, and is less critical than unpatched vulnerabilities. Option C is wrong because lack of vendor support is a contributing factor to the risk, not the risk itself; the core issue is the resulting unpatched vulnerabilities. Option D is wrong because skill shortage for maintenance is a resource risk that affects the ability to manage the system, but it does not directly expose the system to exploitation like unpatched vulnerabilities do.

119
MCQmedium

A multinational corporation has adopted a risk mitigation strategy for its key suppliers by requiring them to maintain ISO 27001 certification. During an audit, the risk manager discovers that one critical supplier lost its certification six months ago but did not report it, as contractually required. The supplier still has adequate security controls in place, and the relationship is strategically important. The CEO wants to avoid contract termination. What is the MOST appropriate risk response?

A.Issue a corrective action plan requiring the supplier to regain certification within three months, with monthly progress reviews.
B.Transfer the risk to the supplier's cyber liability insurance policy.
C.Accept the risk because the supplier still has effective controls, and update the risk register.
D.Terminate the contract immediately and find an alternative supplier.
AnswerA

This enforces the contract and restores the intended risk mitigation.

Why this answer

Option A is correct because it directly addresses the contractual breach with a remediation plan while keeping the supplier. Option B is wrong because acceptance disregards the contractual requirement. Option C is wrong because termination may be too severe and disrupt operations.

Option D is wrong because transferring risk to the supplier's insurance does not restore certification.

120
MCQeasy

Based on the exhibit, which of the following is the MOST likely risk scenario?

A.A denial-of-service attack on the SSH service
B.A brute-force attack targeting the root account
C.A successful privilege escalation by an insider
D.A misconfigured firewall allowing unauthorized access
AnswerB

Multiple failed password attempts in quick succession suggest a brute-force attack.

Why this answer

The exhibit shows repeated failed login attempts for the root account, which is a classic indicator of a brute-force attack. SSH logs typically record authentication failures, and a high frequency of 'Failed password for root' entries from a single source IP strongly suggests an automated password guessing attempt. This aligns with the risk scenario of a brute-force attack targeting the root account.

Exam trap

The trap here is that candidates may confuse authentication failure logs with network-level attacks (DoS or firewall misconfiguration) or assume that any failed login implies a successful breach, when in fact the logs only show the attempt, not the outcome.

How to eliminate wrong answers

Option A is wrong because a denial-of-service attack on the SSH service would manifest as connection timeouts, resource exhaustion, or service unavailability, not repeated authentication failure logs. Option C is wrong because a successful privilege escalation by an insider would show evidence of a normal user account gaining elevated privileges (e.g., via sudo or kernel exploit), not repeated root login attempts. Option D is wrong because a misconfigured firewall allowing unauthorized access would result in unexpected network traffic reaching the server, but the logs specifically show authentication failures, not firewall rule violations or allowed connections from unauthorized IPs.

121
MCQhard

A company is evaluating control effectiveness for a critical system. The control fails 10% of the time when tested. The inherent risk level is 'high'. What is the effect on residual risk?

A.Residual risk is unchanged
B.Residual risk is high
C.Residual risk is low
D.Residual risk is medium
AnswerB

Control failure rate of 10% does not sufficiently reduce inherent risk.

Why this answer

Residual risk is the risk remaining after controls are applied. With a control that fails 10% of the time and an inherent risk level of 'high', the residual risk remains high because the control is not sufficiently effective to reduce the risk to a lower level. In risk assessment, a control with a 10% failure rate is considered ineffective for a high inherent risk, leaving the residual risk unchanged at high.

Exam trap

The trap here is that candidates mistakenly think a control that works 90% of the time is effective enough to reduce residual risk, but for a high inherent risk, even a 10% failure rate leaves the residual risk high because the control is not sufficiently reliable.

How to eliminate wrong answers

Option A is wrong because residual risk is not unchanged; it is directly affected by control effectiveness, and a failing control does not reduce the inherent risk. Option C is wrong because residual risk cannot be low when the control fails 10% of the time and the inherent risk is high; low residual risk would require a highly effective control. Option D is wrong because medium residual risk would imply a moderate reduction, but a 10% failure rate for a high inherent risk does not achieve that; the risk remains high.

122
MCQhard

A company has a control that automatically rejects transactions over $10,000. During a review, it is found that 2% of transactions over $10,000 were approved due to a system glitch. The control owner says the glitch has been fixed. What should the risk practitioner do next?

A.Accept the control owner's assurance and close the finding.
B.Request evidence of the fix and perform a sample test of recent transactions.
C.Recommend a compensating control until the fix is confirmed.
D.Report the issue to the audit committee.
AnswerB

Ensures the issue is resolved.

Why this answer

Option B is correct because the risk practitioner must independently verify that the system glitch has been resolved before closing the finding. Requesting evidence of the fix (e.g., change logs, patch notes) and performing a sample test of recent transactions provides objective assurance that the control is now operating effectively. This aligns with the CRISC principle that control owner assurances alone are insufficient without validation, especially for automated controls where residual risk from the glitch could persist.

Exam trap

The trap here is that candidates assume a control owner's assurance is sufficient (Option A) or that a compensating control is always needed (Option C), but CRISC emphasizes independent verification of control fixes before closure.

How to eliminate wrong answers

Option A is wrong because accepting the control owner's assurance without evidence violates the risk practitioner's duty to independently validate control effectiveness; a verbal fix claim does not confirm the system glitch is resolved. Option C is wrong because recommending a compensating control is premature—the fix is already claimed to be implemented, and the practitioner should first verify it before adding compensating controls, which could introduce unnecessary complexity or cost. Option D is wrong because reporting directly to the audit committee bypasses normal escalation and management review; the issue should first be addressed with the control owner and management, and only escalated if the fix is not confirmed or if residual risk remains unacceptable.

123
MCQhard

A risk manager is reviewing the control monitoring reports and finds that a key control's effectiveness rating has dropped from 'effective' to 'partially effective' due to increased errors in manual data entry. Which of the following is the BEST course of action?

A.Conduct a root cause analysis to identify why errors increased.
B.Immediately implement an automated data entry solution.
C.Increase the frequency of monitoring to detect errors sooner.
D.Assign additional staff to double-check data entries.
AnswerA

Identifies underlying issues to inform corrective actions.

Why this answer

A root cause analysis (RCA) is the best course of action because it systematically identifies the underlying reasons for the increased manual data entry errors, such as inadequate training, unclear procedures, or system interface issues. Without understanding the root cause, any corrective action (like automation or additional staff) may address symptoms rather than the actual problem, leading to wasted resources or recurring control failures. This aligns with the CRISC principle that control effectiveness must be restored by addressing the fundamental cause of degradation, not just the symptoms.

Exam trap

The trap here is that candidates often choose immediate automation (Option B) because it seems like a modern, efficient fix, but the CRISC exam emphasizes that risk treatment must be based on root cause analysis to avoid ineffective or counterproductive controls.

How to eliminate wrong answers

Option B is wrong because immediately implementing an automated data entry solution without first conducting a root cause analysis may introduce new risks (e.g., integration issues, cost overruns, or data mapping errors) and does not address why manual errors increased—automation might not be necessary if the root cause is, for example, a training gap. Option C is wrong because increasing monitoring frequency only detects errors sooner but does not prevent them or fix the underlying cause; it is a detective control, not a corrective one, and may increase monitoring costs without improving control effectiveness. Option D is wrong because assigning additional staff to double-check data entries is a compensating control that adds cost and potential for human error, but it does not address why the original errors increased—it merely adds a layer of review without resolving the root cause.

124
MCQeasy

Which of the following is the BEST example of a key risk indicator (KRI) for the risk of unauthorized access to sensitive data?

A.Average server uptime
B.Number of firewalls deployed
C.Percentage of users with access to sensitive data
D.Number of security awareness trainings completed
AnswerC

A high percentage indicates a larger attack surface for unauthorized access.

Why this answer

Option C is correct because a KRI must directly measure the likelihood or impact of a specific risk. The percentage of users with access to sensitive data is a direct indicator of the attack surface for unauthorized access; a higher percentage increases the probability that an unauthorized user could gain access, making it a leading indicator for that risk.

Exam trap

The trap here is confusing a control metric (e.g., number of firewalls or training completions) with a risk indicator; candidates often pick options that sound security-related but fail to directly measure the risk event's likelihood or impact.

How to eliminate wrong answers

Option A is wrong because average server uptime is an operational metric for availability, not a risk indicator for unauthorized access; it does not measure who can access data or how access controls are configured. Option B is wrong because the number of firewalls deployed is a control metric (a count of security devices), not a KRI; it does not indicate the effectiveness of access controls or the actual exposure of sensitive data. Option D is wrong because the number of security awareness trainings completed is a compliance or activity metric; it measures training completion, not the actual risk of unauthorized access, and does not reflect whether users are following access policies.

125
MCQeasy

A manufacturing company's board of directors receives a monthly risk report. Which key performance indicator (KPI) is MOST relevant for the board to assess the effectiveness of internal controls?

A.Number of audit findings per business unit.
B.Number of risk assessments completed this month.
C.Percentage of employees completing annual compliance training.
D.Percentage of control tests passed within the reporting period.
AnswerD

Directly measures control effectiveness.

Why this answer

Option B is correct because the percentage of control tests passed directly indicates control effectiveness, which is a core board concern. Option A is wrong because the number of risk assessments conducted is an activity metric, not an effectiveness measure. Option C is wrong because the number of audit findings is an output, not a proactive control measure.

Option D is wrong because the percentage of employees trained is a compliance metric, not a control effectiveness measure.

126
MCQeasy

An IT risk manager is facilitating a brainstorming session to identify threats. Which technique is BEST suited for identifying a wide range of potential threats?

A.Conduct a facilitated workshop with cross-functional stakeholders
B.Use a standard threat checklist
C.Review historical incident logs
D.Interview the heads of each department individually
AnswerA

Collaborative workshops leverage diverse expertise and are effective for threat identification.

Why this answer

A facilitated workshop with cross-functional stakeholders is best suited for brainstorming because it leverages diverse perspectives from IT, business, legal, and operations teams to identify a wide range of threats, including emerging and non-obvious ones. This collaborative approach aligns with the CRISC emphasis on qualitative risk assessment techniques that surface unknown unknowns, which static checklists or historical data cannot capture.

Exam trap

The trap here is that candidates often choose a standard threat checklist (Option B) because it seems systematic and comprehensive, but the question asks for the technique BEST suited for identifying a wide range of potential threats, which requires creative, collaborative exploration beyond predefined lists.

How to eliminate wrong answers

Option B is wrong because a standard threat checklist is inherently limited to predefined threats and cannot identify novel or context-specific threats that emerge from the unique environment or technology stack. Option C is wrong because reviewing historical incident logs only reveals threats that have already materialized, missing latent or future-oriented threats that have not yet occurred. Option D is wrong because interviewing department heads individually lacks the synergistic cross-pollination of ideas that occurs in a group workshop, often resulting in siloed perspectives and missed interdependencies.

127
MCQhard

During a risk assessment, the risk team identifies that a legacy system has multiple known vulnerabilities that cannot be patched. The system is critical for operations. Which of the following risk treatment options is MOST appropriate?

A.Accept the risk and monitor
B.Remediate by applying patches from the vendor
C.Avoid the risk by decommissioning the system
D.Mitigate by implementing compensating controls
AnswerD

Reduces risk while preserving system functionality.

Why this answer

Since the legacy system cannot be patched (Option B is impossible) and is critical for operations (decommissioning would disrupt the business, making Option C too drastic), the most appropriate treatment is to implement compensating controls. These controls, such as network segmentation, strict access controls, or an application-layer firewall, reduce the likelihood or impact of exploitation without modifying the vulnerable system itself, aligning with the risk mitigation strategy.

Exam trap

The trap here is that candidates often choose 'Accept the risk and monitor' (Option A) because they confuse 'acceptance' with a valid risk response for unpatched systems, failing to recognize that acceptance requires a formal decision and compensating controls when vulnerabilities are known and exploitable on critical assets.

How to eliminate wrong answers

Option A is wrong because accepting the risk without active monitoring or compensating controls is inappropriate when known, exploitable vulnerabilities exist on a critical system; passive acceptance increases exposure unnecessarily. Option B is wrong because the scenario explicitly states the system cannot be patched, making remediation via vendor patches technically infeasible. Option C is wrong because decommissioning a critical system would avoid the risk but at the cost of severe operational disruption, which is not the most appropriate response when compensating controls can reduce risk while maintaining operations.

128
Multi-Selectmedium

An organization is conducting a risk assessment of its remote access infrastructure. Which THREE of the following are typical components of a risk assessment report? (Select THREE.)

Select 3 answers
A.Risk register with identified risks and ratings
B.Detailed network architecture diagrams
C.Logs of all remote access sessions
D.Legal disclaimers
E.Recommended control improvements
AnswersA, D, E

The risk register is a key component of the report.

Why this answer

A risk register is a core component of a risk assessment report because it formally documents each identified risk, its likelihood, impact, and risk rating (e.g., using a 5x5 matrix). This provides a structured, auditable record that supports decision-making and compliance with frameworks like ISO 31000 or NIST SP 800-30.

Exam trap

The trap here is that candidates confuse operational data (like logs or network diagrams) with risk assessment outputs, forgetting that a risk assessment report is a strategic summary, not a dump of raw technical details.

129
MCQhard

A multinational corporation is expanding its cloud infrastructure to include a new SaaS application that stores sensitive customer data. The vendor claims compliance with SOC 2 Type II and ISO 27001. The risk manager must determine if the remaining residual risk after vendor controls is within the company's risk appetite. Which of the following is the MOST critical next step?

A.Request the vendor's latest risk assessment report.
B.Conduct a data classification and legal review to identify applicable regulatory obligations.
C.Perform a pilot deployment and monitor for security incidents.
D.Accept the vendor's certifications as sufficient evidence of control effectiveness.
AnswerB

Data classification and legal review determine if additional controls are needed.

Why this answer

Option B is correct because understanding the data classification and regulatory requirements determines if additional controls are needed beyond the vendor's certifications. Option A is wrong because certifications alone do not guarantee all risks are addressed. Option C is wrong because the vendor's own risk assessment may not consider the company's specific requirements.

Option D is wrong because a pilot does not assess regulatory compliance.

130
MCQeasy

A risk analyst is reviewing control monitoring results and notices that a detective control has a high false positive rate. What is the BEST action to improve the control's efficiency?

A.Adjust the control's threshold or criteria
B.Accept the false positives as operational tolerance
C.Increase the monitoring frequency
D.Convert the control to a preventive control
AnswerA

Fine-tuning thresholds can reduce false positives while keeping detection effective.

Why this answer

Option B is correct because adjusting thresholds or criteria reduces false positives while maintaining detection capability. Option A is not feasible as transforming the control type is a design change. Option C may increase false positives.

Option D does not improve efficiency.

131
MCQmedium

A company is conducting a risk assessment of a critical third-party service provider. Which of the following is the BEST source of information to identify risks associated with the provider's sub-processors?

A.The provider's documented vendor risk management program and audit reports of sub-processors
B.Service level agreements in the contract
C.SOC 2 Type II reports of the primary provider
D.Public announcements of data breaches involving the provider
AnswerA

This directly addresses sub-processor risk identification.

Why this answer

The provider's documented vendor risk management program and audit reports of sub-processors are the best source because they directly detail the controls, security posture, and compliance status of the sub-processors. This information is specific to the sub-processors' operations, unlike general reports or contracts that may not cover their unique risks. It enables the company to assess third-party and fourth-party risks as part of a comprehensive IT risk identification process.

Exam trap

The trap here is that candidates often choose SOC 2 Type II reports of the primary provider (Option C) thinking they cover all downstream risks, but they typically exclude sub-processor controls unless specifically scoped.

How to eliminate wrong answers

Option B is wrong because service level agreements (SLAs) define performance and availability metrics, not the security controls or risk posture of sub-processors; they are contractual, not evidence-based. Option C is wrong because SOC 2 Type II reports of the primary provider cover the primary provider's controls, not those of its sub-processors, and may exclude sub-processor operations entirely. Option D is wrong because public announcements of data breaches are reactive and historical, not a proactive source for identifying current risks associated with sub-processors.

132
MCQhard

Refer to the exhibit. A risk manager is reviewing IAM policies for an S3 bucket used for sensitive data. This policy allows which of the following?

A.Any user to read (GetObject) from the bucket
B.Any user to write (PutObject) to the bucket from any IP address
C.Users from the internal network (10.0.0.0/8) to write (PutObject) to the bucket
D.Users from the internal network to read (GetObject) from the bucket
AnswerC

The policy allows PutObject only from internal IPs.

Why this answer

Option C is correct because the policy statement includes a condition that restricts the s3:PutObject action to requests originating from the 10.0.0.0/8 IP range, and the principal is set to '*' (any authenticated user), meaning only authenticated users from the internal network can write to the bucket. The policy does not grant GetObject permissions, so reads are not allowed.

Exam trap

The trap here is that candidates often assume a policy with 'Principal': '*' allows anonymous access, but in S3 bucket policies, '*' means any authenticated AWS user unless the policy explicitly includes a 'NotPrincipal' or the bucket is configured for public access; additionally, the condition on source IP is easy to overlook, leading to the mistaken belief that writes are allowed from any IP.

How to eliminate wrong answers

Option A is wrong because the policy does not include any statement allowing s3:GetObject; it only grants s3:PutObject, so any user cannot read from the bucket. Option B is wrong because the policy includes a condition using aws:SourceIp to restrict PutObject to the 10.0.0.0/8 range, so it does not allow writes from any IP address. Option D is wrong because the policy does not grant s3:GetObject at all, so users from the internal network cannot read from the bucket.

133
Multi-Selectmedium

Which TWO controls are most effective for reducing the risk of data leakage from endpoints in a remote work environment?

Select 2 answers
A.Conduct regular phishing simulation campaigns.
B.Implement Data Loss Prevention (DLP) software.
C.Enforce complex password policies for local accounts.
D.Require full-disk encryption on all laptops.
E.Use a VPN for all remote connections.
AnswersB, D

DLP monitors and controls data movement, directly reducing leakage risk.

Why this answer

Data Loss Prevention (DLP) software is highly effective because it monitors, detects, and blocks unauthorized transfers of sensitive data (e.g., PII, IP) from endpoints by inspecting content in motion, at rest, and in use. Full-disk encryption (FDE) protects data at rest by rendering the drive unreadable without the decryption key, mitigating leakage if a device is lost or stolen. Together, they address both active exfiltration and passive physical theft.

Exam trap

ISACA often tests the misconception that a VPN provides comprehensive data protection, but in reality it only secures data in transit, not data at rest or data in use on the endpoint.

134
MCQmedium

A risk practitioner is designing a monitoring dashboard for operational risk. Which of the following is the most important consideration?

A.Automate the generation of reports.
B.Use real-time data feeds.
C.Tailor the information to the needs of the target audience.
D.Include all available risk indicators.
AnswerC

Ensures actionable insights.

Why this answer

Option C is correct because the primary goal of a monitoring dashboard is to enable effective decision-making. Tailoring information to the target audience ensures that stakeholders receive relevant, actionable data, reducing cognitive load and preventing alert fatigue. Without this alignment, even the most technically sophisticated dashboard fails its core purpose of supporting risk-informed decisions.

Exam trap

The trap here is that candidates confuse technical capability (real-time data, automation, completeness) with the business requirement of relevance, leading them to choose a technically impressive but contextually inappropriate option like B or D.

How to eliminate wrong answers

Option A is wrong because automating report generation addresses efficiency, not the fundamental requirement of relevance; a dashboard can be fully automated yet still present irrelevant or overwhelming data. Option B is wrong because real-time data feeds are not always necessary for operational risk monitoring—latency tolerance varies by risk type, and real-time feeds can introduce noise and false positives without proper context. Option D is wrong because including all available risk indicators violates the principle of materiality; excessive indicators obscure critical signals and violate the 'less is more' heuristic for effective dashboards.

135
MCQmedium

During an IT risk assessment for a new cloud-based customer relationship management (CRM) system, the risk practitioner identifies that the vendor's data center is located in a country with different data protection regulations. Which of the following is the MOST appropriate next step?

A.Conduct a legal review to assess regulatory implications and contractual safeguards.
B.Recommend migrating to a different cloud provider.
C.Implement technical controls to encrypt data in transit and at rest.
D.Accept the risk because the vendor is compliant with industry standards.
AnswerA

Legal review ensures compliance and identifies necessary controls.

Why this answer

When a cloud vendor's data center is in a jurisdiction with different data protection regulations, the immediate priority is to understand the legal and contractual implications before making any technical or risk acceptance decisions. A legal review will identify specific regulatory conflicts (e.g., GDPR vs. local law) and assess whether existing contractual safeguards (such as Standard Contractual Clauses or Binding Corporate Rules) adequately address the gap. This step ensures that subsequent risk treatment decisions are informed by compliance requirements rather than assumptions.

Exam trap

The trap here is that candidates often jump to technical controls (encryption) as a universal solution, overlooking that regulatory compliance is a legal and contractual issue that cannot be fully resolved by encryption alone.

How to eliminate wrong answers

Option B is wrong because recommending migration to a different cloud provider is premature without first understanding whether the current vendor's legal and contractual framework can be remediated; migration may be unnecessary or more costly than adjusting safeguards. Option C is wrong because implementing technical controls like encryption (e.g., TLS 1.3 for transit, AES-256 for at-rest) addresses data confidentiality but does not resolve regulatory compliance issues such as data residency, lawful access by foreign governments, or cross-border transfer restrictions. Option D is wrong because accepting risk based solely on vendor compliance with industry standards (e.g., ISO 27001) ignores the fact that regulatory requirements are jurisdiction-specific and may impose obligations beyond those standards.

136
MCQhard

An organization uses a risk register that includes inherent risk, control effectiveness, and residual risk. During a quarterly review, the risk owner updates control effectiveness from 'partially effective' to 'effective'. What effect does this have on the residual risk rating?

A.Inherent risk changes
B.Residual risk decreases
C.Residual risk increases
D.Residual risk remains unchanged
AnswerB

Better controls reduce residual risk.

Why this answer

Option A is correct because improved control effectiveness reduces the likelihood or impact, thus lowering residual risk. Option B is opposite. Option C is incorrect because residual risk changes.

Option D is wrong because inherent risk does not change based on controls.

137
MCQeasy

A control owner reports that a preventive control is operating as designed, but the risk owner is concerned that residual risk remains high. What should the risk practitioner do NEXT?

A.Update the risk register to reflect the high residual risk.
B.Recommend additional compensating controls.
C.Escalate the issue to the risk committee.
D.Perform a control effectiveness test to validate the control.
AnswerD

Verifies if control mitigates risk as intended.

Why this answer

The risk practitioner must first validate the control's effectiveness before taking any further action. Even though the control owner reports the preventive control is operating as designed, the risk owner's concern about high residual risk suggests the control may not be adequately mitigating the risk. Performing a control effectiveness test (D) provides objective evidence to determine whether the control is actually reducing risk to an acceptable level, which is the necessary next step before updating the risk register, recommending compensating controls, or escalating.

Exam trap

The trap here is that candidates assume the control owner's report of 'operating as designed' is sufficient evidence, but CRISC emphasizes that control effectiveness must be independently validated through testing before concluding on residual risk.

How to eliminate wrong answers

Option A is wrong because updating the risk register to reflect high residual risk should only occur after the control's effectiveness has been validated; prematurely updating without evidence could misrepresent the risk posture. Option B is wrong because recommending additional compensating controls is premature without first determining whether the existing control is effective; if the control is effective, compensating controls may be unnecessary and introduce unnecessary cost and complexity. Option C is wrong because escalating to the risk committee is a governance action that should be taken only after the risk practitioner has gathered sufficient evidence through testing; escalation without validation could cause unnecessary alarm or misdirect committee attention.

138
MCQhard

An international bank is expanding its operations into a new country with strict data localization laws. The IT department plans to use a cloud service provider that stores data in neighboring countries but promises compliance. The risk team has identified several potential risks: regulatory fines for non-compliance, data interception during cross-border transmission, and difficulty in auditing the cloud provider. The legal team advises that the contract includes data protection clauses, but these have not been tested. The risk manager must now prioritize risk identification efforts. What is the MOST important risk identification step the risk team should undertake?

A.Review the cloud provider's SOC 2 report.
B.Conduct a thorough legal review of the contract's data handling clauses.
C.Perform a regulatory compliance assessment specific to the new country's laws.
D.Map data flows to ensure all data is properly classified.
AnswerC

Understanding legal requirements is foundational.

Why this answer

Option C is correct because the most critical risk identification step when entering a new country with strict data localization laws is to perform a regulatory compliance assessment specific to that country's laws. This ensures the bank understands the exact legal requirements for data storage, processing, and transfer, which directly informs whether the cloud provider's promised compliance is achievable. Without this assessment, the risk team cannot accurately identify the scope and severity of regulatory fines or other legal risks.

Exam trap

The trap here is that candidates often choose Option B (legal review of contract) because they assume contractual clauses are the primary risk mitigation, but the question asks for risk identification, and without first understanding the local law, the contract's adequacy cannot be evaluated.

How to eliminate wrong answers

Option A is wrong because reviewing the cloud provider's SOC 2 report focuses on internal controls and security practices, not on compliance with specific data localization laws of the new country; SOC 2 reports are based on AICPA trust service criteria and do not address jurisdictional legal requirements. Option B is wrong because conducting a thorough legal review of the contract's data handling clauses, while important, assumes the contract is the primary risk control, but the contract clauses have not been tested and may not align with the new country's untested legal interpretations; this step is secondary to understanding the actual regulatory landscape. Option D is wrong because mapping data flows to ensure proper classification is a data governance activity that helps understand where data resides and moves, but it does not directly identify the legal risks of non-compliance with data localization laws; it is a supporting step, not the most critical for risk identification.

139
MCQeasy

Which risk identification technique relies on analyzing past incidents to predict future risks?

A.Brainstorming
B.Loss event data analysis
C.SWOT analysis
D.Delphi technique
AnswerB

Loss event data analysis uses historical incident data to predict future risks.

Why this answer

Loss event data analysis (B) is the correct risk identification technique because it systematically examines historical incident records, such as security logs, breach reports, and audit findings, to identify patterns and trends that can predict future risks. This empirical approach leverages past loss events to quantify likelihood and impact, making it distinct from generative or qualitative methods.

Exam trap

The trap here is that candidates confuse 'brainstorming' (a forward-looking ideation method) with data-driven analysis, failing to recognize that only loss event data analysis explicitly relies on historical incident records to predict future risks.

How to eliminate wrong answers

Option A is wrong because brainstorming is a creative, group-based technique that generates ideas without relying on historical data, focusing instead on hypothetical scenarios and expert intuition. Option C is wrong because SWOT analysis evaluates internal strengths/weaknesses and external opportunities/threats in a strategic context, not past incident records for risk prediction. Option D is wrong because the Delphi technique uses iterative anonymous surveys to achieve consensus among experts, not analysis of historical loss events.

140
MCQhard

An organization is considering moving from periodic control testing to continuous monitoring for its critical financial controls. What is the PRIMARY benefit of this transition?

A.Simplification of the control environment.
B.Reduction in monitoring costs.
C.Faster identification of control failures.
D.Elimination of all control failures.
AnswerC

Continuous monitoring reduces detection time.

Why this answer

Option A is correct because continuous monitoring allows for faster detection and response to control failures. Option B is wrong because continuous monitoring often requires more resources. Option C is wrong because control failures are still possible but detected sooner.

Option D is wrong because continuous monitoring is often more complex.

141
Multi-Selecteasy

An organization is performing a business impact analysis (BIA) for its critical applications. Which TWO of the following are primary objectives of a BIA?

Select 2 answers
A.Prioritize recovery of business processes based on criticality.
B.Determine the likelihood of each threat event.
C.Identify the maximum acceptable outage (MAO) for each process.
D.Calculate the annualized loss expectancy (ALE).
E.Select appropriate risk response strategies.
AnswersA, C

BIA prioritizes processes for recovery.

Why this answer

Option A is correct because a primary objective of a BIA is to prioritize the recovery of business processes based on their criticality to the organization. This prioritization directly informs the recovery time objectives (RTOs) and resource allocation for each process, ensuring that the most critical functions are restored first during a disruption.

Exam trap

The trap here is that candidates confuse the BIA with the broader risk assessment process, mistakenly selecting options like determining threat likelihood or calculating ALE, which are distinct activities performed after the BIA is complete.

142
MCQmedium

Refer to the exhibit. What is the most appropriate immediate action for the control failure?

A.Ignore as it was followed by a pass.
B.Escalate to the board.
C.Accept the control failure due to subsequent pass.
D.Investigate the root cause of the failure because it occurred before the pass.
AnswerD

Root cause analysis is needed to determine why the control failed.

Why this answer

The control failure requires investigation even though it later passed. The root cause of the failure must be understood to prevent recurrence. Option B is correct.

Option A accepts risk without analysis. Option C ignores a potential issue. Option D escalates prematurely.

143
MCQeasy

Refer to the exhibit. What action should the risk practitioner recommend FIRST?

A.Escalate to the board of directors.
B.Initiate a patch management process to apply critical patches.
C.Adjust the threshold to 10%.
D.Schedule a root cause analysis for next month.
AnswerB

Directly addresses the KRI.

Why this answer

The exhibit shows that critical vulnerabilities have been identified with a high risk score, and the current patch management process is not addressing them in a timely manner. The risk practitioner should first initiate a patch management process to apply critical patches, as this directly reduces the exposure to known exploits and aligns with the principle of treating the highest risks immediately. Delaying action or adjusting thresholds without remediation would leave the organization vulnerable.

Exam trap

The trap here is that candidates may confuse 'escalation' with 'first action' and choose Option A, not realizing that operational remediation (patching) must precede escalation unless the risk is beyond the risk appetite and requires immediate board-level decision-making.

How to eliminate wrong answers

Option A is wrong because escalating to the board of directors is a governance step that should occur after operational remediation actions have been attempted or if there is a systemic failure, not as the first action for a specific technical vulnerability. Option C is wrong because adjusting the threshold to 10% would arbitrarily lower the risk acceptance level without addressing the underlying vulnerabilities, potentially masking critical risks and violating risk management best practices. Option D is wrong because scheduling a root cause analysis for next month delays immediate remediation of critical vulnerabilities, which should be patched urgently to prevent exploitation; root cause analysis can be performed in parallel or after patching.

144
MCQmedium

A business continuity manager wants to identify risks that could disrupt critical business processes. Which source of information would be MOST valuable for identifying such risks?

A.Organizational charts
B.Industry benchmarks on downtime
C.Business impact analysis (BIA) documentation
D.Historical incident reports
AnswerC

BIA identifies critical processes, dependencies, and recovery objectives.

Why this answer

The Business Impact Analysis (BIA) documentation is the most valuable source because it systematically identifies critical business processes, their dependencies (e.g., specific servers, databases, network links), and the maximum tolerable downtime (MTD) for each. This directly pinpoints which risks would cause unacceptable disruption, making it the foundational input for risk identification in continuity planning.

Exam trap

The trap here is that candidates often choose historical incident reports (D) thinking past failures are the best predictor, but CRISC emphasizes proactive identification of all risks—including those never experienced—which only a BIA can systematically uncover by analyzing process criticality and dependencies.

How to eliminate wrong answers

Option A is wrong because organizational charts show reporting structures and roles, not the technical dependencies or recovery time objectives (RTOs) of critical processes. Option B is wrong because industry benchmarks on downtime provide generic statistics (e.g., average cost per hour) but do not identify specific risks to an organization's unique processes or infrastructure. Option D is wrong because historical incident reports only capture past failures, missing emerging threats, single points of failure not yet realized, or risks that have never materialized.

145
MCQhard

A software development company uses a DevOps pipeline with automated code deployment. Recently, a developer accidentally pushed a configuration file containing database credentials to a public repository. The credentials were changed within an hour, but the file remained public for a few hours. The risk team is now identifying risks in the CI/CD process. The security team has proposed adding static code analysis to detect secrets in code. The development team objects, citing false positives. The risk manager must identify the most significant risk that could lead to a data breach. Which risk should be prioritized?

A.Insufficient training on secure coding practices for developers.
B.Over-reliance on manual code reviews which are error-prone.
C.Lack of pre-commit hooks or automated scanning to prevent secrets from being committed.
D.Inadequate incident response procedures for exposed credentials.
AnswerC

Prevention at commit is the most direct control.

Why this answer

Option C is correct because the root cause of the incident was the absence of automated, pre-commit scanning to detect secrets before they are pushed to a repository. Pre-commit hooks (e.g., using tools like git-secrets or Talisman) or server-side scanning (e.g., GitHub secret scanning) can block credentials from being committed in the first place, directly preventing exposure. Without this control, the CI/CD pipeline lacks a critical preventive layer, making data breaches more likely despite post-commit remediation.

Exam trap

The trap here is that candidates focus on the incident response or training aspects (options A and D) because they seem like common root causes, but the question specifically asks for the most significant risk that could lead to a data breach, which is the lack of a preventive control (pre-commit scanning) that directly stops secrets from entering the repository.

How to eliminate wrong answers

Option A is wrong because insufficient training on secure coding practices, while valuable, does not address the immediate technical gap that allowed the secret to be committed; training alone cannot prevent accidental pushes without automated enforcement. Option B is wrong because over-reliance on manual code reviews is a secondary concern; the incident occurred due to a lack of automated scanning, not because manual reviews were bypassed or failed. Option D is wrong because inadequate incident response procedures for exposed credentials are a reactive control; the most significant risk is the preventive failure that allowed the secret to be pushed, not the speed of response after exposure.

146
MCQmedium

A risk assessment reveals that a legacy system has a high vulnerability score but low business criticality. The cost to remediate is high. What is the MOST appropriate risk response?

A.Avoid the risk by decommissioning the system
B.Accept the risk and monitor it
C.Mitigate the vulnerability with a patch
D.Transfer the risk via a managed security service
AnswerB

Acceptance is appropriate when cost outweighs benefit.

Why this answer

Option B is correct because acceptance is appropriate when the cost of mitigation exceeds the potential loss. Option A is wrong because mitigation might not be cost-effective. Option C is wrong because avoidance might not be necessary.

Option D is wrong because transfer might not be possible for legacy systems.

147
MCQhard

A third-party vendor's security assessment reveals multiple high-risk findings related to data handling. The vendor is unwilling to remediate, citing cost. The vendor contract includes a clause that requires adherence to security standards. The organization's risk appetite for third-party risk is low. What is the most appropriate risk response?

A.Avoid by terminating the contract
B.Mitigate by reducing data shared
C.Transfer via insurance
D.Accept the risk and monitor
AnswerA

Termination eliminates the risk.

Why this answer

Option A is correct because avoidance by terminating the contract addresses the risk directly. Options B, C, and D do not fully resolve the risk given the low appetite.

148
MCQhard

What is the most significant risk identified by this configuration?

A.Denial of service attack on the S3 bucket
B.Loss of encryption keys
C.Unauthorized access to sensitive data from the internet
D.Data exfiltration by internal users
AnswerC

The wildcard principal and lack of condition allow anyone to read objects, leading to data exposure.

Why this answer

The configuration exposes the S3 bucket to the internet without proper access controls, such as a bucket policy that restricts access to specific IP addresses or requires authentication. This means anyone on the internet can read or write objects in the bucket, leading to unauthorized access to sensitive data. The most significant risk is the direct exposure of confidential information to untrusted external actors.

Exam trap

The trap here is that candidates may focus on internal threats (Option D) or encryption key management (Option B) instead of recognizing that a public bucket policy directly enables external unauthorized access, which is the most immediate and severe risk.

How to eliminate wrong answers

Option A is wrong because a denial of service attack on the S3 bucket is possible but less significant than unauthorized data access; the configuration does not inherently make the bucket more vulnerable to DoS than any other public endpoint. Option B is wrong because loss of encryption keys is not directly related to the bucket's public accessibility; encryption keys are managed separately (e.g., via AWS KMS) and are not exposed by the bucket policy itself. Option D is wrong because data exfiltration by internal users is a valid risk but is not the most significant in this context; the configuration explicitly allows any internet user to access the data, making external unauthorized access the primary concern.

149
MCQhard

A financial institution is assessing the risk of a new real-time payment system. The risk manager calculates that the annualized loss expectancy (ALE) for a potential fraud scenario is $500,000. The cost to implement a fraud detection solution is $200,000 initially with $50,000 annual maintenance. The solution is expected to reduce the ALE by 80%. What is the net benefit of implementing the solution over three years?

A.$1,000,000
B.$950,000
C.$800,000
D.$850,000
AnswerD

Correctly accounts for all costs and benefits.

Why this answer

The correct answer is D because the net benefit over three years is calculated as the reduction in ALE minus the total cost of the solution. The original ALE is $500,000 per year, and an 80% reduction saves $400,000 annually. Over three years, total savings are $1,200,000.

The total cost includes the initial $200,000 plus three years of maintenance at $50,000 each ($150,000), totaling $350,000. Net benefit = $1,200,000 - $350,000 = $850,000.

Exam trap

The trap here is that candidates often forget to include the annual maintenance costs over the full three-year period or mistakenly apply the 80% reduction to the total cost instead of the ALE, leading to incorrect net benefit calculations.

How to eliminate wrong answers

Option A is wrong because it incorrectly assumes the full ALE ($500,000) is saved each year without accounting for the 80% reduction factor, leading to an overestimation of $1,000,000 net benefit. Option B is wrong because it likely miscalculates the total cost or savings, perhaps omitting the initial implementation cost or misapplying the reduction percentage, resulting in $950,000. Option C is wrong because it may only consider the first year's net benefit or incorrectly subtract the total cost from a single year's savings, yielding $800,000.

150
MCQhard

A risk practitioner is reviewing the results of a control self-assessment (CSA) and finds that the control owner rated a control as 'effective' but an independent audit found control weaknesses. What is the BEST explanation for this discrepancy?

A.The control owner may have a biased perception of control effectiveness.
B.The CSA was conducted too long ago.
C.The control owner did not understand the control objectives.
D.The audit used a different definition of 'effective'.
AnswerA

Self-assessments often have inherent bias.

Why this answer

The control owner's self-assessment is inherently subjective and may be influenced by personal bias, lack of objectivity, or a desire to report favorable results. An independent audit provides an objective, evidence-based evaluation, so a discrepancy where the owner rates a control as 'effective' while the audit finds weaknesses strongly suggests the owner's perception is skewed. This is the most direct and common explanation for such a conflict in control self-assessment (CSA) results.

Exam trap

The trap here is that candidates may choose Option D (different definition of 'effective') because it seems like a logical technical reason, but the question asks for the 'BEST' explanation, and bias is a more common and fundamental cause of CSA-audit discrepancies than definitional differences.

How to eliminate wrong answers

Option B is wrong because the question does not provide any information about the timing of the CSA relative to the audit; even if the CSA was conducted recently, the discrepancy could still exist due to bias. Option C is wrong because while a control owner might misunderstand objectives, the more fundamental issue is that the owner's rating is a subjective judgment, not a technical misunderstanding of the control's purpose. Option D is wrong because while different definitions could cause a discrepancy, the audit and CSA typically use the same organizational standard for 'effective'; the more likely root cause is the owner's biased perception rather than a definitional mismatch.

Page 1

Page 2 of 7

Page 3

All pages