Certified in Risk and Information Systems Control CRISC (CRISC) — Questions 376450

500 questions total · 7pages · All types, answers revealed

Page 5

Page 6 of 7

Page 7
376
MCQmedium

A company has implemented an automated control monitoring system that generates alerts when transactions exceed predefined thresholds. The system has been in production for six months. The risk team notices that the number of alerts has been decreasing, while actual control failures have remained constant. Which of the following is the MOST likely cause?

A.Employees have learned to bypass the monitoring system
B.The control effectiveness has improved significantly
C.The data feed from transaction systems has degraded, causing missing data
D.The thresholds were automatically adjusted to be more restrictive
AnswerC

Degraded data reduces input, resulting in fewer alerts despite constant failures.

Why this answer

Option B is correct because degradation of data feeds could cause the system to miss transactions, leading to fewer alerts. Option A is wrong because increased automation typically increases detection. Option C is wrong because if controls were improved, actual failures would decrease.

Option D is wrong because employees gaming the system would likely increase failures, not keep them constant.

377
MCQmedium

An organization uses a qualitative risk assessment methodology. The risk matrix has impact and likelihood scales of 1-5. A risk is assessed with impact=4 and likelihood=3. What is the risk level?

A.Critical
B.High
C.Low
D.Medium
AnswerB

Product of 12 falls in high range.

Why this answer

In a qualitative risk assessment with a 5x5 risk matrix (impact and likelihood scales of 1-5), the risk level is determined by multiplying the impact and likelihood scores. Here, 4 (impact) × 3 (likelihood) = 12. Typically, a product of 12 falls into the 'High' risk category (e.g., 10-15 range), as defined by common CRISC and ISACA frameworks.

This aligns with the organization's methodology where scores above a threshold (e.g., 10) are classified as High, not Critical.

Exam trap

The trap here is that candidates often misapply the matrix by adding impact and likelihood (4+3=7) and selecting 'Medium', instead of multiplying (4×3=12) to correctly identify 'High'.

How to eliminate wrong answers

Option A is wrong because 'Critical' usually requires a product of 16-25 (e.g., impact=5 and likelihood=4 or 5), not 12. Option C is wrong because 'Low' corresponds to a product of 1-5 (e.g., impact=1 and likelihood=2), far below 12. Option D is wrong because 'Medium' typically covers a product of 6-9 (e.g., impact=3 and likelihood=3), whereas 12 exceeds that range.

378
MCQmedium

A university's IT department is implementing a single sign-on (SSO) solution for students and faculty. The solution will integrate with existing Active Directory and a cloud-based learning management system (LMS). During risk identification, the team learns that the SSO vendor had a minor security incident last year. The university's security policy requires multi-factor authentication (MFA) for all administrative access, but the SSO solution does not support MFA for student accounts. The project manager insists that MFA for students is not necessary because they only access academic records. The risk team must identify the most significant risk that could affect the university's reputation. Which risk should be documented?

A.SSO vendor's historical security incident could impact service availability.
B.Students may share passwords, leading to account compromise.
C.Lack of MFA for administrative accounts could allow unauthorized changes.
D.Without MFA, student accounts could be compromised to access sensitive academic data.
AnswerD

Compromised student accounts can lead to data breach and reputational damage.

Why this answer

The most significant reputational risk is that without MFA, student accounts are vulnerable to credential theft or brute-force attacks. If an attacker compromises a student account, they could access sensitive academic records (e.g., grades, personal data) protected under FERPA, leading to data breaches, legal penalties, and loss of public trust. The SSO vendor's past incident is less relevant because it was minor and does not directly expose the university's data.

Exam trap

The trap here is that candidates focus on the vendor's past incident (Option A) as a red flag, but the real risk is the missing MFA control for student accounts, which directly enables unauthorized access to sensitive data and reputational damage.

How to eliminate wrong answers

Option A is wrong because a minor historical security incident at the vendor does not directly threaten the university's reputation; service availability is an operational risk, not a reputational one tied to data exposure. Option B is wrong because password sharing is a user behavior issue, not a technical control gap; while it increases risk, the lack of MFA is the primary vulnerability that enables account compromise at scale. Option C is wrong because the scenario states MFA is required for all administrative access, and the SSO solution's lack of MFA applies only to student accounts, not administrative accounts.

379
MCQhard

A financial institution is implementing a new online banking platform. The risk assessment identified that the platform will handle sensitive customer data and must comply with GDPR and local banking regulations. The project team proposes encrypting all data at rest and in transit, implementing multi-factor authentication (MFA), and conducting quarterly penetration tests. However, the risk owner is concerned about the residual risk of a sophisticated phishing attack that could bypass MFA. The board has a low risk appetite. What is the BEST way to address this residual risk?

A.Purchase cyber insurance to transfer the financial impact of a potential phishing attack.
B.Implement advanced phishing-resistant MFA (e.g., FIDO2) and conduct regular employee phishing simulation training.
C.Reduce the project scope to exclude online banking and revert to a less risky channel.
D.Accept the residual risk because the existing controls (encryption, MFA, pen tests) already provide reasonable assurance.
AnswerB

These controls directly reduce the residual risk of phishing bypassing standard MFA.

Why this answer

Option B is correct because it addresses the specific residual risk with a targeted control (phishing simulations and training) without overcomplicating the project. Option A is wrong because purchasing insurance does not reduce the likelihood of an attack. Option C is wrong because accepting the risk conflicts with the board's low appetite.

Option D is wrong because stopping the project is a disproportionate response to a manageable risk.

380
MCQmedium

You are the risk manager for a healthcare organization that uses an electronic health records (EHR) system. The system has a built-in audit log that records all access to patient data. Recently, the Chief Information Security Officer (CISO) raised a concern that there have been multiple reports of unauthorized access to patient records, but the audit log analysis has not identified any suspicious activity. You have been asked to investigate. Your review of the audit log configuration reveals that the system only logs successful access events, not failed access attempts. Additionally, the log retention period is set to 30 days, and the logs are stored in a flat file on the same server as the EHR application. The monitoring team manually reviews the logs at the end of each month. Which of the following is the MOST significant risk associated with the current monitoring approach?

A.Storing logs on the same server as the EHR application exposes them to alteration or deletion if the server is compromised.
B.The 30-day log retention period is too short to detect long-term patterns of unauthorized access.
C.Manual review of logs is ineffective and may miss critical events; automated monitoring should be implemented.
D.The audit log does not capture failed access attempts, which could indicate brute-force attacks or unauthorized access attempts.
AnswerA

Log integrity is compromised, which is a critical risk for monitoring and forensics.

Why this answer

Storing audit logs on the same server as the EHR application violates the principle of log segregation. If the server is compromised, an attacker can alter or delete the logs to cover their tracks, making detection impossible. This is the most significant risk because it directly undermines the integrity and availability of the evidence needed to investigate unauthorized access.

Exam trap

The trap here is that candidates focus on the operational deficiencies (short retention, manual review, missing failed attempts) rather than the foundational security control failure of log segregation, which is the most critical risk because it compromises the entire audit trail.

How to eliminate wrong answers

Option B is wrong because while a 30-day retention period may be suboptimal for long-term pattern analysis, it is not the most significant risk given that the logs are already vulnerable to tampering and the current manual review process would likely miss patterns regardless. Option C is wrong because although manual review is inefficient, the core issue is that even with automated monitoring, the logs stored on the same server could be destroyed or altered before any alert is triggered. Option D is wrong because while missing failed access attempts is a gap, the lack of logging for failed attempts is less critical than the complete loss of log integrity if the server is compromised.

381
MCQeasy

A risk analyst is reviewing monthly control test results. One control failed testing twice in a row. What is the FIRST step the analyst should take?

A.Report the failure in the next risk report to management.
B.Perform a root cause analysis of the control failure.
C.Update the risk register with a higher inherent risk rating.
D.Escalate the failure to the risk committee immediately.
AnswerB

Root cause analysis is essential before taking further action.

Why this answer

Option A is correct because understanding the root cause helps determine whether the failure is due to a control design issue or an operational lapse. Option B is wrong because escalating without analysis may cause unnecessary alarm. Option C is wrong because reporting to management without context is incomplete.

Option D is wrong because updating the risk register should follow root cause analysis.

382
MCQeasy

A new privacy regulation requires that all personal data be encrypted at rest. The current systems lack encryption. The cost to implement encryption is moderate, and the risk of non-compliance is high. Which risk response is most appropriate?

A.Mitigate by implementing encryption
B.Accept the risk
C.Avoid by discontinuing data processing
D.Transfer via cyber insurance
AnswerA

Encryption directly addresses the vulnerability.

Why this answer

Option B is correct because encryption directly mitigates the risk of non-compliance. Options A, C, and D are less effective or inappropriate.

383
MCQhard

During a merger and acquisition (M&A) due diligence, the IT risk manager needs to identify risks in the target company's IT environment. Which approach is most effective for comprehensive risk identification?

A.Send a detailed questionnaire to the target's IT department
B.Review the target's public financial reports
C.Conduct a war gaming exercise
D.Conduct an on-site assessment of the target's IT infrastructure
AnswerD

On-site assessment enables direct observation, interviews, and hands-on review, yielding the most reliable risk identification.

Why this answer

An on-site assessment (Option D) allows the IT risk manager to directly observe the target's IT infrastructure, including physical security, network configurations, and operational practices. This hands-on approach uncovers risks that may be hidden or misrepresented in self-reported questionnaires, such as outdated firmware, unpatched systems, or insecure network segmentation. It provides the most comprehensive and accurate risk identification for M&A due diligence.

Exam trap

The trap here is that candidates may overestimate the reliability of self-reported data from questionnaires (Option A) because it seems systematic and efficient, but the CRISC exam emphasizes that direct verification through on-site assessment is essential for comprehensive risk identification in M&A due diligence.

How to eliminate wrong answers

Option A is wrong because a detailed questionnaire relies on self-reporting by the target's IT department, which may omit or downplay critical risks due to lack of awareness or intentional concealment, and cannot verify the actual state of systems like patch levels or firewall rules. Option B is wrong because public financial reports focus on monetary performance and regulatory filings, not on technical IT risks such as insecure configurations, unpatched vulnerabilities, or inadequate access controls. Option C is wrong because war gaming exercises are designed to test strategic responses to hypothetical scenarios, not to identify existing technical risks in a target's IT environment, and they lack the granularity needed for infrastructure-level assessment.

384
MCQhard

An organization has a legacy system that cannot be patched due to vendor end-of-life. The system processes non-critical data. The risk manager has determined that the likelihood of exploitation is low, but the impact would be high. Which risk response strategy is MOST appropriate?

A.Mitigate the risk by applying vendor patches.
B.Avoid the risk by decommissioning the system immediately.
C.Transfer the risk by purchasing cyber insurance.
D.Accept the risk with compensating controls such as network segmentation.
AnswerD

Compensating controls reduce likelihood without patching.

Why this answer

Option D is correct because the system processes non-critical data and cannot be patched, making risk acceptance with compensating controls the most appropriate strategy. Network segmentation reduces the likelihood of exploitation by isolating the legacy system from critical assets, while the low likelihood and non-critical data make decommissioning or insurance less suitable. This aligns with CRISC best practices for legacy systems where patching is impossible and the risk is within the organization's risk appetite.

Exam trap

ISACA often tests the misconception that 'high impact' always requires mitigation or avoidance, but the trap here is that when likelihood is low and the data is non-critical, acceptance with compensating controls is the most cost-effective and appropriate response per the risk management framework.

How to eliminate wrong answers

Option A is wrong because the vendor has ended support, meaning no patches are available, so mitigation via patching is technically infeasible. Option B is wrong because decommissioning immediately is an extreme response for a system processing non-critical data with low exploitation likelihood; it would likely cause unnecessary operational disruption and cost. Option C is wrong because cyber insurance transfers financial risk but does not reduce the likelihood or impact of exploitation; it is a secondary response and not the most appropriate primary strategy for a low-likelihood, high-impact scenario where compensating controls can be applied.

385
Multi-Selectmedium

Which TWO of the following are key components of an effective risk and control monitoring program? (Select exactly two.)

Select 2 answers
A.Control testing schedules
B.Risk appetite statements
C.Defined key risk indicators (KRIs)
D.Quarterly board reporting
E.Annual risk assessment updates
AnswersA, C

Ensures controls are tested regularly.

Why this answer

Control testing schedules (A) are a key component because they define the frequency and scope of evaluating whether controls are operating effectively. Without a structured schedule, control failures may go undetected for extended periods, increasing risk exposure. Defined key risk indicators (KRIs) (C) are also essential because they provide leading metrics that signal potential risk events before they materialize, enabling proactive monitoring and timely corrective actions.

Exam trap

The trap here is that candidates confuse governance artifacts (like risk appetite statements and board reporting) with operational monitoring components, leading them to select options that are important for risk management but not part of the monitoring program's core structure.

386
MCQhard

A company has multiple business units each using different risk assessment methodologies. The risk committee wants consistent monitoring reports. What is the BEST approach to achieve consistency?

A.Develop and mandate a standardized risk assessment methodology.
B.Aggregate risks at the enterprise level using a common taxonomy.
C.Require each business unit to adopt the same risk scoring scale.
D.Create a centralized reporting template with predefined fields.
AnswerA

Ensures consistent risk identification and evaluation.

Why this answer

Option A is correct because mandating a standardized risk assessment methodology ensures that all business units apply the same criteria, scales, and processes for identifying, analyzing, and evaluating risks. This eliminates methodological inconsistencies at the source, enabling the risk committee to produce truly comparable and reliable monitoring reports across the enterprise.

Exam trap

The trap here is that candidates confuse output consistency (templates, scales, or taxonomies) with input consistency (the methodology itself), leading them to choose options that only address surface-level uniformity rather than the root cause of inconsistent risk assessments.

How to eliminate wrong answers

Option B is wrong because aggregating risks using a common taxonomy only standardizes the classification of risks, not the underlying assessment methodology; different scoring and evaluation approaches would still produce incompatible results. Option C is wrong because requiring the same risk scoring scale does not address differences in how risks are identified, analyzed, or prioritized—two units using the same scale but different methodologies can still generate inconsistent risk levels for similar exposures. Option D is wrong because a centralized reporting template with predefined fields only standardizes the output format, not the input data or assessment process; if business units use different methodologies, the data entered into the template will remain inconsistent and non-comparable.

387
MCQmedium

After a risk assessment, the risk owner determines that the residual risk is still above the risk appetite. Which of the following is the MOST appropriate next step?

A.Transfer the risk
B.Ignore the risk
C.Accept the risk
D.Implement additional controls
AnswerD

Adding controls reduces residual risk to an acceptable level.

Why this answer

When residual risk remains above the risk appetite after initial risk assessment, the most appropriate next step is to implement additional controls to further reduce the risk to an acceptable level. This aligns with the risk treatment process where controls are selected and applied to lower the likelihood or impact of the risk event. Simply transferring, ignoring, or accepting the risk without further action would not address the gap between residual risk and risk appetite.

Exam trap

ISACA often tests the misconception that risk acceptance is always the default next step, but the trap here is that acceptance is only valid when residual risk is within appetite; when it is above, additional controls must be considered first.

How to eliminate wrong answers

Option A is wrong because transferring the risk (e.g., via insurance or outsourcing) does not reduce the inherent risk; it only shifts financial consequences, and the residual risk may still exceed appetite if the transfer is incomplete or not cost-effective. Option B is wrong because ignoring the risk is a deliberate avoidance of responsibility and violates the risk management principle that risks above appetite must be treated, not neglected. Option C is wrong because accepting the risk without implementing additional controls is only appropriate if the residual risk is within the risk appetite; here it is above, so acceptance without further action would be non-compliant with policy.

388
MCQeasy

Based on the exhibit, which risk is MOST likely to be identified during a risk assessment?

A.Weak passwords on user workstations
B.Unauthorized physical access to the data center
C.Lateral movement risk from DMZ to internal network
D.Incomplete audit logs on firewalls
AnswerC

Lack of segmentation allows propagation of attacks.

Why this answer

Option B is correct because the lack of segmentation between DMZ and internal networks means that if a server in the DMZ is compromised, the attacker can easily move laterally to user workstations. Option A is wrong because the exhibit does not mention specific access control weaknesses. Option C is wrong because there is no indication of incomplete logging.

Option D is wrong because physical security is not mentioned.

389
MCQmedium

During a risk assessment, the risk manager identifies that the likelihood of a cyber-attack is high due to recent industry trends. However, the existing controls are deemed effective in reducing impact. Which of the following is the MOST appropriate risk response?

A.Mitigate
B.Avoid
C.Accept
D.Transfer
AnswerA

Mitigating by maintaining or enhancing controls is appropriate given high likelihood.

Why this answer

Mitigate is the most appropriate risk response because the likelihood of a cyber-attack is high, but existing controls are effective in reducing the impact. Mitigation involves implementing additional controls or enhancing existing ones to reduce the likelihood or impact further, which aligns with the scenario where controls are already effective but need to be strengthened to address the high likelihood.

Exam trap

ISACA often tests the distinction between 'mitigate' and 'transfer' by presenting scenarios where controls are effective but likelihood is high, leading candidates to incorrectly choose transfer (e.g., insurance) instead of recognizing that mitigation directly addresses the likelihood through additional technical controls.

How to eliminate wrong answers

Option B (Avoid) is wrong because avoiding the risk would require discontinuing the activity or system that exposes the organization to the cyber-attack, which is not necessary when controls are already effective and the risk can be managed. Option C (Accept) is wrong because accepting the risk implies a conscious decision to tolerate the potential impact without further action, which is inappropriate when the likelihood is high and controls are only effective, not optimal. Option D (Transfer) is wrong because transferring the risk (e.g., via cyber insurance) shifts the financial impact but does not address the high likelihood of the attack occurring, and the existing controls are already reducing impact, making mitigation a more direct response.

390
Matchingmedium

Match each CRISC domain to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Establish and maintain a risk management framework

Identify and analyze IT risks

Select and implement risk mitigation controls

Continuously monitor and report risk status

Why these pairings

The CRISC domains cover the full lifecycle of IT risk management.

391
MCQhard

During a risk assessment, an organization identifies that its legacy ERP system has a high likelihood of failure during peak transaction periods. The system supports critical financial operations. The risk owner proposes to upgrade the system, but the project would take 18 months and require significant capital investment. The CEO questions whether the risk can be reduced to an acceptable level more quickly. Which of the following is the MOST appropriate immediate risk response?

A.Implement enhanced monitoring and manual fallback procedures.
B.Increase cyber insurance coverage.
C.Accept the risk and budget for potential losses.
D.Outsource the ERP hosting to a cloud provider.
AnswerA

These measures reduce the impact of failures and can be deployed quickly.

Why this answer

Enhanced monitoring and manual fallback procedures directly address the immediate risk of system failure during peak periods by providing early detection and a contingency plan to maintain critical financial operations. This response can be implemented quickly without the 18-month timeline and capital investment required for a full system upgrade, aligning with the CEO's request for a faster risk reduction.

Exam trap

The trap here is that candidates confuse a long-term strategic solution (system upgrade or cloud migration) with an immediate tactical response, failing to recognize that the question explicitly asks for the 'most appropriate immediate risk response' that can be deployed quickly.

How to eliminate wrong answers

Option B is wrong because cyber insurance coverage does not reduce the likelihood or impact of the ERP failure; it only provides financial compensation after a loss, which is not an immediate risk response. Option C is wrong because accepting the risk and budgeting for potential losses is a passive approach that does nothing to mitigate the high likelihood of failure during peak transactions, leaving critical financial operations exposed. Option D is wrong because outsourcing ERP hosting to a cloud provider involves significant migration effort, potential data residency issues, and contractual timelines that cannot be implemented immediately, and it does not address the legacy system's inherent instability during peak loads.

392
Multi-Selecteasy

A financial institution is implementing a new continuous monitoring solution for its transaction processing systems. The solution generates alerts for suspicious activities. Which TWO of the following are essential considerations when defining the alert thresholds?

Select 2 answers
A.Cost of the monitoring solution
B.Historical transaction patterns and baseline deviations
C.Vendor reputation for support
D.Number of employees in the monitoring team
E.The risk appetite of the organization
AnswersB, E

Baselining ensures thresholds reflect normal behavior.

Why this answer

Alert thresholds should align with historical transaction patterns and risk appetite. Cost and vendor reputation are relevant but not essential for threshold definition; reducing thresholds increases false positives.

393
MCQhard

A multinational organization is implementing a risk mitigation strategy for a critical system. The business impact analysis shows that downtime costs are extremely high. Which risk response strategy is MOST appropriate for this scenario?

A.Risk avoidance by decommissioning the system
B.Risk transfer through cyber insurance
C.Risk reduction by implementing redundant systems
D.Risk acceptance because mitigation is too costly
AnswerC

Redundancy reduces both likelihood and impact of downtime.

Why this answer

Given the extremely high downtime costs, the most appropriate risk response is risk reduction through implementing redundant systems. This directly addresses the critical system's availability requirement by eliminating single points of failure, thereby reducing both the likelihood and impact of downtime. Decommissioning the system (avoidance) would eliminate the business function entirely, which is typically not viable for a critical system, while insurance (transfer) only provides financial compensation after the loss, not preventing the operational impact of downtime.

Exam trap

The trap here is that candidates may confuse risk transfer (insurance) as a primary solution for high downtime costs, overlooking that insurance does not prevent the operational impact and lost revenue during the outage itself, which is the core concern in this scenario.

How to eliminate wrong answers

Option A is wrong because risk avoidance by decommissioning the system would eliminate the business function that the critical system supports, which is typically not a viable strategy for a system deemed critical to operations. Option B is wrong because risk transfer through cyber insurance only provides financial reimbursement after a loss event, but does not prevent the extremely high operational downtime costs or the associated business disruption. Option D is wrong because risk acceptance is inappropriate when the business impact analysis shows that downtime costs are extremely high and a cost-effective mitigation (like redundancy) is available.

394
Multi-Selecthard

Which THREE of the following are key components of an effective risk treatment plan?

Select 3 answers
A.Assigned responsibilities
B.Risk acceptance criteria
C.A timeline for implementation
D.The risk owner's signature
E.A detailed budget
AnswersA, B, C

Clear ownership ensures accountability.

Why this answer

Assigned responsibilities are a key component of an effective risk treatment plan because they ensure accountability for implementing specific risk mitigation actions. Without clear ownership, tasks may be delayed or overlooked, undermining the plan's execution. This aligns with the CRISC framework's emphasis on defining roles to operationalize risk response.

Exam trap

The trap here is that candidates confuse supporting artifacts (like budgets or signatures) with the core structural components of the plan, which are defined by ISACA as responsibilities, timelines, and acceptance criteria.

395
MCQeasy

After a data breach has been contained, what is the most important action for identifying underlying IT risks?

A.Update the risk register
B.Perform a root cause analysis
C.Implement new security controls
D.Review cyber insurance policy
AnswerB

Root cause analysis identifies the specific risks and weaknesses that led to the breach.

Why this answer

Root cause analysis systematically identifies the weaknesses that allowed the breach, directly contributing to risk identification. Updating the risk register, implementing controls, and reviewing insurance are subsequent steps.

396
Multi-Selectmedium

A risk analyst is reviewing the results of control testing for a critical business process. Which THREE of the following are valid reasons to classify a control as ineffective?

Select 3 answers
A.The control was not executed as per procedure.
B.The control failed during peak load testing.
C.The control design does not address the risk.
D.The control was tested once and passed.
E.The control owner was not available during the test.
AnswersA, B, C

Deviating from procedure compromises control effectiveness.

Why this answer

Options B, C, and D are correct. B: Failure under peak load indicates the control cannot handle real conditions. C: If the design does not address the risk, the control cannot mitigate it.

D: Non-execution per procedure means the control was not performed correctly. A is wrong because a single pass does not prove ineffectiveness. E is wrong because owner availability is not a control attribute.

397
Drag & Dropmedium

Put the steps for performing a control self-assessment (CSA) in order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

CSA involves defining scope, identifying controls, assessing effectiveness, gap identification, and reporting.

398
MCQmedium

An internal audit report identifies that the IT department did not patch a critical vulnerability in a database server for 90 days. The risk manager wants to identify the root cause risk. Which approach should be used?

A.Interview the database system owner
B.Conduct a new vulnerability scan
C.Update the risk register with the finding
D.Perform a root cause analysis on the patching process
AnswerD

Root cause analysis identifies process gaps leading to the delay.

Why this answer

Option D is correct because the risk manager needs to identify the root cause risk, which requires understanding why the patching process failed to apply a critical security update within the required timeframe. A root cause analysis (RCA) on the patching process systematically examines procedural breakdowns, such as missed scanning cycles, lack of change management approval, or insufficient prioritization of database-specific patches (e.g., Oracle Critical Patch Updates). This approach directly addresses the underlying process deficiency rather than merely documenting or re-verifying the vulnerability.

Exam trap

The trap here is that candidates confuse operational remediation (e.g., rescanning or interviewing) with risk identification analysis, failing to recognize that the question specifically asks for identifying the root cause risk, not just confirming or logging the finding.

How to eliminate wrong answers

Option A is wrong because interviewing the database system owner may provide anecdotal context but does not systematically uncover the procedural or systemic failures in the patching lifecycle, such as scheduling gaps or approval bottlenecks. Option B is wrong because conducting a new vulnerability scan would only confirm the current state of the vulnerability (e.g., whether it is still present or remediated), not reveal why the patch was delayed for 90 days. Option C is wrong because updating the risk register with the finding is a documentation step that records the risk but does not analyze the causal factors behind the patching failure.

399
Multi-Selectmedium

Which TWO of the following are primary sources of IT risk identification? (Select exactly TWO.)

Select 2 answers
A.Incident reports
B.Threat intelligence feeds
C.Asset inventory
D.Risk appetite
E.Policy documents
AnswersA, B

Incident reports document past events and vulnerabilities, revealing risks that materialized.

Why this answer

Incident reports are a primary source of IT risk identification because they provide direct evidence of past security events, such as malware infections, unauthorized access attempts, or system failures. By analyzing incident reports, risk practitioners can identify patterns, root causes, and control weaknesses that represent current or emerging risks. This historical data is essential for updating the risk register and prioritizing remediation efforts based on actual impact.

Exam trap

The trap here is that candidates often mistake asset inventory (a passive inventory list) as a primary risk identification source, when in fact it is a prerequisite for risk assessment but does not itself identify risks; the exam expects you to distinguish between inputs for risk assessment and sources that actively reveal risk events.

400
MCQmedium

During a risk assessment for a new financial application, the risk manager identifies that the application processes sensitive customer data and is accessible from the internet. Which of the following is the MOST appropriate risk scenario to document?

A.The application has several unpatched vulnerabilities that increase the likelihood of a security incident.
B.The application will implement multi-factor authentication to prevent unauthorized access.
C.An attacker could exploit weak authentication mechanisms to gain unauthorized access and exfiltrate customer data, resulting in regulatory fines and reputational damage.
D.The application must comply with PCI DSS requirements for data protection.
AnswerC

This is a well-defined risk scenario with threat, vulnerability, and impact.

Why this answer

Option C is the most appropriate risk scenario because it follows the standard risk scenario structure: threat (attacker), vulnerability (weak authentication), impact (unauthorized access, data exfiltration, regulatory fines, reputational damage). It directly ties the technical weakness to a business consequence, which is essential for communicating risk to stakeholders. The scenario is specific to the application's internet-facing nature and sensitive data processing, making it actionable for risk treatment.

Exam trap

The trap here is that candidates mistake a vulnerability or a control for a complete risk scenario, failing to include the threat actor and business impact that are required for proper risk identification.

How to eliminate wrong answers

Option A is wrong because it describes a vulnerability (unpatched flaws) without specifying a threat actor, attack vector, or business impact; it is a risk factor, not a complete risk scenario. Option B is wrong because it describes a control (multi-factor authentication) that would mitigate risk, not a risk scenario itself; it confuses a solution with the problem statement. Option D is wrong because it states a compliance requirement (PCI DSS) without linking it to a specific threat, vulnerability, or adverse outcome; it is a control objective, not a risk scenario.

401
Multi-Selecthard

A risk assessment identifies a high likelihood of a data breach due to insecure APIs. The risk team proposes disabling the APIs until they are secured, implementing a WAF, and purchasing breach insurance. Which THREE risk response options are being considered?

Select 3 answers
A.Remediate
B.Transfer
C.Avoid
D.Mitigate
E.Accept
AnswersB, C, D

Insurance transfers the financial impact.

Why this answer

Options A, C, and D are correct: Avoid (disable), Mitigate (WAF), Transfer (insurance). Options B and E are not proposed.

402
MCQmedium

A company uses a third-party vendor to process customer data. The vendor's security control monitoring reports show no issues. However, the company's internal monitoring detects anomalies in vendor response times. What is the BEST interpretation?

A.The vendor's monitoring is accurate; the anomalies are false positives.
B.The anomalies may indicate a control gap in the vendor's environment.
C.The internal monitoring should be disabled to avoid confusion.
D.The vendor's monitoring is more reliable than internal monitoring.
AnswerB

Internal monitoring provides independent validation.

Why this answer

Option D is correct because the internal monitoring may have detected a control weakness not covered by vendor reports. Option A is wrong because response time anomaly is a signal. Option B is wrong because vendor reports may be incomplete.

Option C is wrong because external monitoring is equally important.

403
MCQhard

A multinational corporation is assessing the risk of non-compliance with GDPR. Which of the following is the BEST approach to quantify the potential fine?

A.Base the estimate on the organization's annual global turnover
B.Estimate based on the cost of cyber insurance premiums
C.Calculate the cost of data breach using the Ponemon Institute model
D.Use industry benchmarks for data breach costs
AnswerA

GDPR fines are up to 4% of annual turnover.

Why this answer

Under GDPR, the maximum fine for non-compliance is the greater of €20 million or 4% of the organization's annual global turnover. Therefore, basing the estimate on annual global turnover directly aligns with the regulatory formula used by supervisory authorities, making it the most accurate and defensible quantification approach for potential fines.

Exam trap

ISACA often tests the distinction between regulatory fines (which follow a fixed statutory formula) and broader breach costs (which include operational, reputational, and legal expenses), leading candidates to mistakenly select a comprehensive cost model like Ponemon instead of the turnover-based regulatory calculation.

How to eliminate wrong answers

Option B is wrong because cyber insurance premiums reflect market pricing for risk transfer, not the statutory penalty calculation defined in GDPR Article 83. Option C is wrong because the Ponemon Institute model estimates the total cost of a data breach (including detection, notification, and lost business), not the regulatory fine specifically. Option D is wrong because industry benchmarks for data breach costs are averages across sectors and do not incorporate the organization-specific turnover figure that GDPR mandates for fine calculation.

404
MCQhard

A company's key risk indicator (KRI) for 'failed login attempts' has exceeded its threshold by 20%. The control owner reports that a recent firewall change caused false positives. What should the risk practitioner do FIRST?

A.Validate the KRI data and investigate the root cause
B.Implement additional controls to reduce failed logins
C.Revert the firewall change immediately
D.Increase the KRI threshold to eliminate false positives
AnswerA

Data integrity check is essential before any action.

Why this answer

The correct answer is C. The first step is to verify the KRI data and confirm whether the threshold breach is real or due to a configuration issue. Option A is premature because the threshold breach may be invalid.

Option B is corrective action without confirmation. Option D is too drastic without understanding the root cause.

405
MCQhard

A company is implementing a new cloud-based customer relationship management (CRM) system. The risk manager has identified that the vendor's security controls may not meet the company's requirements. Which of the following is the BEST way to address this risk?

A.Deny the existence of the risk
B.Purchase cyber insurance to cover potential losses
C.Avoid using the cloud CRM system
D.Include security requirements in the contract and perform regular vendor audits
AnswerD

This mitigates risk by enforcing controls.

Why this answer

Option A is correct because contractually requiring the vendor to adhere to security standards and performing audits is a common risk mitigation approach. Option B is wrong as transferring via insurance doesn't reduce the actual risk. Option C is wrong as avoidance by not using the system may be too drastic.

Option D is wrong as denial is not a risk response.

406
MCQhard

During a risk assessment, the risk manager finds that a critical application has a single point of failure in its network path. The application's availability requirement is 99.99%. The current design achieves only 99.9% uptime. Which risk metric should be calculated first?

A.Annualized Loss Expectancy (ALE) based on potential downtime cost.
B.Risk gap between required and current service level.
C.Exposure factor (EF) representing the percentage of loss.
D.Single loss expectancy (SLE) for a single outage event.
AnswerB

Quantifying the gap helps prioritize remediation efforts and calculate downstream metrics.

Why this answer

The risk manager must first quantify the risk gap between the required 99.99% availability (approximately 52.56 minutes of downtime per year) and the current 99.9% availability (approximately 525.6 minutes per year). This gap of 473.04 minutes per year establishes the magnitude of the risk exposure before any financial calculations (ALE, SLE, EF) can be performed, as those metrics depend on knowing the actual downtime that needs to be costed.

Exam trap

The trap here is that candidates rush to calculate financial metrics (ALE, SLE, EF) without first establishing the foundational risk gap, which is the prerequisite for any meaningful quantitative risk analysis.

How to eliminate wrong answers

Option A is wrong because Annualized Loss Expectancy (ALE) requires the annual rate of occurrence (ARO) and single loss expectancy (SLE), which themselves depend on knowing the risk gap first; calculating ALE without the gap would use incorrect downtime figures. Option C is wrong because Exposure Factor (EF) is a percentage of asset value lost per incident, but the question asks for the first metric to calculate, and EF is derived after the risk gap is understood. Option D is wrong because Single Loss Expectancy (SLE) is calculated as asset value × exposure factor, and without first establishing the risk gap (the actual downtime difference), the SLE would be based on the wrong outage duration.

407
MCQmedium

During a cloud migration project, the IT risk manager is identifying risks associated with data residency. Which of the following is the MOST effective method to identify applicable regulatory requirements?

A.Interviewing cloud service providers about compliance
B.Implementing a data classification policy that maps to regulatory frameworks
C.Conducting a vulnerability scan of the cloud environment
D.Reviewing past audit findings
AnswerB

This proactively identifies data types and associated legal requirements.

Why this answer

Implementing a data classification policy that maps to regulatory frameworks is the most effective method because it systematically identifies which data types are subject to specific regulations (e.g., GDPR, HIPAA, LGPD) based on content and jurisdiction. This proactive approach ensures that all applicable legal and contractual requirements are considered before engaging with cloud providers, rather than relying on post-hoc interviews or scans.

Exam trap

The trap here is that candidates confuse operational security controls (vulnerability scanning) or reactive measures (vendor interviews, past audits) with the foundational governance step of classifying data to identify regulatory obligations, which is a core IT risk identification activity.

How to eliminate wrong answers

Option A is wrong because interviewing cloud service providers about compliance only captures the provider's self-reported stance, which may not cover all jurisdictional nuances or the organization's specific data types; it is a reactive, vendor-dependent method. Option C is wrong because conducting a vulnerability scan of the cloud environment identifies technical security weaknesses (e.g., open ports, misconfigurations) but does not reveal which regulatory frameworks apply to the data stored or processed. Option D is wrong because reviewing past audit findings only highlights previously identified issues and may miss new or evolving regulatory requirements relevant to the current migration scope.

408
Multi-Selecteasy

Which TWO of the following are examples of key risk indicators (KRIs) in an IT environment? (Choose two.)

Select 2 answers
A.Number of IT projects in progress.
B.Number of critical security vulnerabilities unresolved for more than 30 days.
C.Number of employees in the IT department.
D.System uptime percentage.
E.Annual IT budget variance.
AnswersB, D

Unresolved vulnerabilities indicate security risk.

Why this answer

Options A and C are correct. System uptime percentage and number of unresolved critical vulnerabilities are direct measures of IT risk. Option B is wrong number of employees is a people metric, not a risk indicator.

Option D is wrong budget variance is a financial metric, not a KRI specifically. Option E is wrong number of IT projects is a workload metric, not a risk indicator.

409
MCQeasy

Which risk assessment approach is most appropriate for a new technology that has limited historical data and high uncertainty?

A.Quantitative risk assessment using ALE calculations.
B.Bow-tie analysis to map causes and consequences.
C.Automated risk scoring based on industry benchmarks.
D.Delphi technique with a panel of experts.
AnswerD

The Delphi technique is a qualitative method that uses expert consensus, suitable for uncertain environments.

Why this answer

The Delphi technique is most appropriate for a new technology with limited historical data and high uncertainty because it leverages the collective judgment of a panel of experts through iterative, anonymous rounds to reach a consensus on risk likelihood and impact. This approach does not rely on historical loss data or predefined benchmarks, making it ideal for novel or emerging technologies where empirical data is scarce.

Exam trap

The trap here is that candidates often choose quantitative methods like ALE (Option A) because they seem more 'objective,' failing to recognize that such methods are data-dependent and inappropriate when historical data is absent or unreliable.

How to eliminate wrong answers

Option A is wrong because quantitative risk assessment using ALE (Annualized Loss Expectancy) calculations requires reliable historical data on frequency and magnitude of losses, which is unavailable for a new technology with high uncertainty. Option B is wrong because bow-tie analysis is a structured method for mapping known causes and consequences of a specific risk event, but it presupposes a clear understanding of threat scenarios and controls, which is lacking when historical data is limited. Option C is wrong because automated risk scoring based on industry benchmarks assumes that the technology's risk profile aligns with established patterns from similar technologies, which is invalid for a novel technology where benchmarks do not exist or are not applicable.

410
Drag & Dropmedium

Sequence the steps for conducting a business impact analysis (BIA).

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

BIA involves identifying critical processes, outage tolerance, dependencies, impact estimation, and prioritization.

411
Multi-Selectmedium

Which TWO of the following are characteristics of an EFFECTIVE key risk indicator (KRI)?

Select 2 answers
A.Provides an early warning signal of increasing risk exposure.
B.Is actionable, meaning it can trigger predefined responses when thresholds are breached.
C.Is derived from the organization's risk appetite statement.
D.Uses smoothed data to avoid alert fatigue.
E.Measures historical loss events.
AnswersA, B

Predictive nature is key for proactive risk management.

Why this answer

Options B and E are correct. An effective KRI should be predictive (leading) and actionable. Option A is wrong because lagging indicators (e.g., loss events) are not predictive.

Option C is wrong because risk appetite thresholds should be set based on the KRI, not the other way around. Option D is wrong because a KRI should be sensitive, not smoothed.

412
MCQhard

A multinational organization uses a third-party vendor for cloud-based identity management. The vendor recently suffered a data breach that exposed user credentials. The risk manager is now re-evaluating the associated risk. Which of the following steps should the risk manager perform FIRST to identify potential new risks?

A.Review the contract to determine if the vendor is liable for the breach.
B.Update the risk register to include the new threat scenario of credential compromise via the vendor.
C.Immediately revoke all vendor access to internal systems.
D.Conduct a penetration test of the organization's own systems.
AnswerB

Updating the risk register is the first step in risk identification after a new event.

Why this answer

Option D is correct because updating the risk register with the new incident information is the first step to ensure all risks are captured. Option A (contract review) is important but secondary. Option B (penetration test) may be reactive but not immediate first step.

Option C (access reviews) is a control, not risk identification.

413
MCQhard

A security operations center (SOC) analyst notices multiple failed login attempts from an internal IP address followed by a successful login from an unusual geographic location. Which risk identification technique should the risk manager use to assess this as a potential risk?

A.Run a phishing simulation for the user
B.Review the logs manually for other indicators
C.Conduct a vulnerability scan on the workstation
D.Perform user and entity behavior analytics (UEBA) on the user account
AnswerD

UEBA detects deviations from normal behavior, signaling potential compromise.

Why this answer

Option A is correct because analyzing user behavior analytics (UBA) can identify anomalous patterns indicative of account compromise, turning an event into a risk. Option B is incorrect because a vulnerability scan does not detect behavioral anomalies. Option C is incorrect because a phishing simulation tests user awareness, not specific events.

Option D is incorrect because log review alone may not contextualize the event as a risk without behavioral analysis.

414
MCQeasy

What is the primary risk if the WAF is misconfigured?

A.SQL injection attacks
B.Unauthorized database access
C.Denial of service
D.Network segmentation failure
AnswerA

WAF misconfiguration increases vulnerability to web attacks.

Why this answer

A WAF protects against web application attacks such as SQL injection. If misconfigured, the web application is exposed. Option B is correct.

Network segmentation failure (A) is not directly related. Denial of service (C) is a possibility but not the primary risk. Unauthorized database access (D) could result from SQL injection but is a consequence.

415
MCQmedium

During a risk assessment, a control self-assessment (CSA) indicates that a key control is operating effectively. However, an independent audit finds multiple control failures. Which of the following is the MOST likely reason for this discrepancy?

A.The audit tested different samples
B.The control environment changed
C.The CSA participants lacked objectivity
D.The CSA was conducted too recently
AnswerC

Self-assessments can be biased, leading to overestimation of effectiveness.

Why this answer

Option B is correct because CSA participants may lack objectivity due to bias or lack of independence. Option A is less likely if the CSA is recent. Option C is possible but not the most likely cause of systematic discrepancy.

Option D is possible but not specific to CSA vs audit.

416
MCQeasy

A control test reveals a 100% pass rate for a detective control. What does this indicate?

A.The control is operating effectively
B.The control is too expensive to maintain
C.The control is compensating for other weaknesses
D.The associated risk has been fully mitigated
AnswerA

Pass rate indicates effective detection.

Why this answer

The correct answer is B. A 100% pass rate for a detective control suggests the control is effective at detecting issues, but it does not guarantee that no issues existed (since detection only happens if an issue occurs). Option A is irrelevant; options C and D are possible but not indicated by the pass rate alone.

417
Multi-Selecthard

Which THREE of the following are common challenges in risk reporting?

Select 3 answers
A.Timeliness of information.
B.Over-reliance on automated tools.
C.Data accuracy issues.
D.Too much detail.
E.Lack of board support.
AnswersA, C, D

Outdated information reduces the value of risk reports.

Why this answer

Common challenges include data accuracy, timeliness, and information overload (too much detail). Options A, B, and D are correct. Over-reliance on automation (C) is not typically a challenge, and lack of board support (E) is more of a governance issue.

418
MCQmedium

A company has identified that its legacy financial system has a high inherent risk due to outdated architecture. The system cannot be replaced for three years. What is the best risk treatment strategy?

A.Accept the risk and allocate contingency funds for potential incidents.
B.Transfer the risk by purchasing cyber insurance.
C.Avoid the risk by discontinuing the system immediately.
D.Implement compensating controls such as network segmentation and enhanced monitoring.
AnswerD

Compensating controls reduce residual risk while the system remains in place.

Why this answer

Option D is correct because when a legacy system cannot be replaced for three years, the most effective risk treatment is to reduce the likelihood and impact of exploitation through compensating controls. Network segmentation limits lateral movement from the legacy system, and enhanced monitoring (e.g., SIEM with custom rules for anomalous traffic) provides early detection of compromise. This aligns with the ISACA risk treatment principle of risk reduction when avoidance or transfer is not feasible.

Exam trap

The trap here is that candidates often choose risk acceptance (Option A) or transfer (Option B) without recognizing that high inherent risk demands active reduction measures, especially when the system cannot be decommissioned.

How to eliminate wrong answers

Option A is wrong because accepting the risk without active reduction measures ignores the high inherent risk from outdated architecture, and contingency funds alone do not prevent data breaches or system downtime. Option B is wrong because cyber insurance transfers financial impact but does not reduce the operational or reputational risk; insurers may also deny claims if compensating controls are absent. Option C is wrong because discontinuing the system immediately would halt critical business operations, and the question explicitly states the system cannot be replaced for three years, making avoidance impractical.

419
MCQeasy

You are the IT risk manager for a financial institution that processes high-value transactions. The organization uses a cloud-based core banking system and on-premises servers for backup. During a recent risk assessment, you identified that the cloud provider's service-level agreement (SLA) guarantees 99.9% uptime, but the organization's business impact analysis (BIA) indicates that every hour of downtime costs $500,000. The current recovery time objective (RTO) for the core banking system is 4 hours, but the actual recovery capability is 6 hours due to manual steps in failover. The risk owner has accepted this risk informally. You are asked to recommend a course of action to the risk committee. Which of the following is the most appropriate recommendation?

A.Accept the risk because the cloud provider's SLA covers 99.9% uptime.
B.Continue with informal acceptance since the risk owner has already accepted it.
C.Reduce the RTO to 2 hours to align with industry best practices.
D.Document the risk gap (actual recovery of 6 hours vs. RTO of 4 hours) and present it to the risk committee for formal risk acceptance or remediation.
AnswerD

Formal documentation and escalation ensure the risk is properly managed and decisions are recorded.

Why this answer

The correct answer is D because the organization has a critical risk gap: the actual recovery capability (6 hours) exceeds the stated RTO (4 hours), meaning the business would incur $1M in losses (2 hours × $500K) before recovery completes. The risk owner's informal acceptance is insufficient for a financial institution processing high-value transactions; formal documentation and risk committee approval are required for governance and regulatory compliance. Presenting the gap enables informed decision-making on whether to accept the risk formally or invest in remediation (e.g., automating failover to meet the 4-hour RTO).

Exam trap

The trap here is that candidates confuse the cloud provider's SLA with the organization's RTO/RTA gap, or assume informal risk acceptance is sufficient, when CRISC emphasizes formal documentation and committee-level decision-making for risks exceeding thresholds.

How to eliminate wrong answers

Option A is wrong because the cloud provider's 99.9% SLA (8.76 hours annual downtime) does not address the specific gap between the 4-hour RTO and 6-hour actual recovery; it only covers cloud uptime, not the manual failover delays causing the breach. Option B is wrong because informal acceptance lacks the formal documentation and risk committee oversight required by CRISC best practices and regulatory standards (e.g., FFIEC guidelines for financial institutions), leaving the organization exposed to unmanaged risk. Option C is wrong because reducing the RTO to 2 hours without addressing the underlying manual failover process would widen the gap (actual 6 hours vs. new RTO of 2 hours), increasing potential losses to $2M per incident, and is not a feasible remediation without significant investment.

420
MCQeasy

A smart manufacturing company has deployed hundreds of IoT sensors and actuators across its production line. These devices are connected directly to the corporate network without any segmentation and communicate using unencrypted protocols. A third-party vendor manages all IoT devices and has administrative access from their own network. Recently, the IT team detected unusual outbound traffic from the IoT segment to unknown IP addresses on the internet. The risk manager is leading a risk identification workshop. Based on this scenario, what is the most critical risk to the organization that should be identified and documented?

A.Unauthorized remote access to the corporate network via the IoT devices
B.Compliance violation with industry regulations
C.Loss of data integrity due to tampering with sensor measurements
D.Physical damage to equipment due to unsafe actuator commands
AnswerA

Unsegmented IoT devices with third-party admin access and detected suspicious traffic represent a clear path for attackers to infiltrate the corporate network.

Why this answer

The most critical risk is unauthorized remote access to the corporate network via the IoT devices. The IoT devices are directly connected to the corporate network without segmentation and communicate using unencrypted protocols, while a third-party vendor has administrative access from their own network. The unusual outbound traffic to unknown IP addresses strongly suggests that an attacker has compromised the vendor's network or the devices themselves, using the unencrypted protocols (e.g., MQTT without TLS, Modbus/TCP) to pivot into the corporate network, bypassing perimeter defenses.

Exam trap

ISACA often tests the concept that the most critical risk is the one that is actively occurring and has the highest potential for immediate impact, not the one that is merely possible or a downstream consequence; candidates often pick a compliance or data integrity answer because they focus on data protection rather than network access control.

How to eliminate wrong answers

Option B is wrong because while compliance violations (e.g., GDPR, NIST CSF) are possible, the immediate and most critical risk is the active, confirmed unauthorized access via the observed outbound traffic, not a hypothetical regulatory issue. Option C is wrong because loss of data integrity from tampered sensor measurements is a secondary risk; the primary threat is the attacker already having network access, which enables data manipulation but is not the most critical risk identified from the traffic anomaly. Option D is wrong because physical damage from unsafe actuator commands is a potential consequence, but the direct evidence of unusual outbound traffic indicates an active network breach, making unauthorized access the most critical risk to document first.

421
MCQhard

A company is conducting a Risk Identification for a new payment processing system. The team discovers that the system does not have encryption at rest. This is an example of:

A.Control
B.Threat
C.Vulnerability
D.Risk
AnswerC

Lack of encryption at rest is a weakness or gap in controls.

Why this answer

The absence of encryption at rest in a payment processing system is a weakness or flaw that can be exploited, making it a vulnerability. In risk identification, a vulnerability is a condition or weakness in an asset (e.g., database, storage volume) that, if exploited by a threat, could lead to a risk event. Here, the missing encryption at rest (e.g., AES-256 for stored cardholder data) is a specific security gap, not the threat itself or the resulting risk.

Exam trap

The trap here is confusing a vulnerability (the missing encryption) with the risk (the potential for data exposure) or the threat (the attacker who might exploit it), leading candidates to pick 'Risk' or 'Threat' instead of the correct 'Vulnerability'.

How to eliminate wrong answers

Option A is wrong because a control is a safeguard or countermeasure (e.g., enabling encryption at rest via AWS KMS or BitLocker), not the absence of one. Option B is wrong because a threat is a potential cause of an unwanted incident (e.g., an attacker gaining physical access to the storage server), not the missing encryption itself. Option D is wrong because risk is the potential impact of a threat exploiting a vulnerability (e.g., financial loss from data breach), not the vulnerability itself.

422
MCQhard

Based on the exhibit, what is the MOST likely risk scenario?

A.Phishing attack that captured user credentials
B.Brute force attack resulting in account compromise
C.Insider threat from a legitimate user
D.Denial of service attack on the authentication server
AnswerB

Multiple failed attempts followed by success indicates compromise.

Why this answer

The exhibit shows a high number of failed authentication attempts from a single IP address over a short time window, followed by a successful login. This pattern is characteristic of a brute force attack, where an attacker systematically tries many password combinations until one succeeds, leading to account compromise.

Exam trap

ISACA often tests the distinction between authentication failures from a brute force attack versus a denial of service attack, where candidates mistakenly choose DoS because they see many failed attempts, but the key is that the server remains functional and a successful login occurs.

How to eliminate wrong answers

Option A is wrong because a phishing attack would typically capture credentials via a deceptive email or website, not through a high volume of failed logins from a single source. Option C is wrong because an insider threat from a legitimate user would not generate numerous failed authentication attempts; a legitimate user would likely succeed on the first try or have a few failures due to forgotten passwords, not a sustained brute force pattern. Option D is wrong because a denial of service attack on the authentication server would cause a flood of traffic or requests, overwhelming the server and preventing legitimate logins, but the exhibit shows a successful login after failures, indicating the server remained responsive and the attack targeted a specific account, not the server's availability.

423
MCQhard

A risk committee receives a monthly risk report that includes a heat map of inherent risk ratings and a separate list of control deficiencies. The committee members often complain that they cannot easily see which control deficiencies are most critical to address. Which of the following is the BEST improvement to the reporting?

A.Include a comprehensive list of all key risk indicators (KRIs)
B.Provide a separate section on recent audit findings
C.Overlay control deficiency impact ratings onto the residual risk heat map
D.Add a timeline of when each control deficiency was first identified
AnswerC

This visualization directly links control weaknesses to resulting risk levels, aiding prioritization.

Why this answer

Option D is correct because combining control deficiency impact ratings with residual risk ratings directly shows the effect on risk levels. Option A is wrong because adding all KRIs may overload the report. Option B is wrong because past audit findings may be outdated.

Option C is wrong because a chronological log does not prioritize by risk impact.

424
MCQeasy

When reporting risk and control monitoring results to the board of directors, which of the following formats is MOST effective?

A.Narrative reports describing findings in paragraphs.
B.Visual dashboards with key metrics and trend indicators.
C.Oral summary without supporting documentation.
D.Detailed spreadsheets with raw data for each control.
AnswerB

Effective for quick understanding.

Why this answer

Option C is correct because visual dashboards with trend lines and color coding quickly convey risk status. Option A is wrong because raw data is overwhelming. Option B is wrong because narrative only lacks context.

Option D is wrong because verbal only may not be retained.

425
MCQeasy

Based on the exhibit, what is the primary risk response strategy demonstrated by this firewall rule?

A.Risk Transfer
B.Risk Acceptance
C.Risk Mitigation
D.Risk Avoidance
AnswerC

The firewall blocks specific IP ranges, reducing the probability of attacks.

Why this answer

Option B is correct because the firewall rule blocks malicious traffic, which reduces risk, i.e., mitigation.

426
MCQeasy

Refer to the exhibit. What does the exhibit most likely indicate about the control monitoring?

A.The control is effective but the monitoring configuration is incorrect.
B.The control is failing and needs immediate remediation.
C.The control is close to target but requires attention.
D.The control is meeting its target.
AnswerA

The target threshold should align with policy; the configuration error might cause false sense of effectiveness.

Why this answer

Option D is correct because the target is set to 90% while the policy requires 95%, so the monitoring configuration is incorrect. The control appears to meet the target (94.5% > 90%), but it fails to meet the policy requirement. Option A is wrong because the control meets the configured target but not the policy.

Option B is wrong because the current value is above the configured target. Option C is wrong because the control is not failing relative to the target; it is a configuration issue.

427
MCQeasy

A small manufacturing company is conducting its first IT risk assessment. The company has a flat network with no segmentation, and all employees have administrative access to their workstations. The risk practitioner identifies that a malware infection on one workstation could easily spread to the entire network. The company has a limited budget for IT security improvements. Which of the following risk treatment options is MOST cost-effective and practical?

A.Accept the risk because the company's data is not highly sensitive.
B.Deploy endpoint protection software on all workstations and restrict administrative rights for users.
C.Implement network segmentation and a next-generation firewall.
D.Purchase cyber insurance to cover potential losses.
AnswerB

Low cost, high impact on limiting malware spread.

Why this answer

Option B is the most cost-effective and practical because deploying endpoint protection software provides immediate defense against known malware, while restricting administrative rights prevents users from installing unauthorized software or making system changes that could introduce malware. This combination directly addresses the root cause of the risk—unrestricted user privileges and lack of basic malware defenses—without requiring expensive network redesign or ongoing insurance premiums.

Exam trap

The trap here is that candidates may choose network segmentation (Option C) as the ideal technical solution, but the question emphasizes cost-effectiveness and practicality for a small company with a limited budget, making the simpler, cheaper controls in Option B the better choice.

How to eliminate wrong answers

Option A is wrong because accepting the risk ignores the high likelihood and potential impact of a malware infection spreading across a flat network, even if data is not highly sensitive; operational downtime and recovery costs can be significant for a small company. Option C is wrong because network segmentation and a next-generation firewall are more expensive and complex to implement than endpoint protection and privilege restriction, making them less practical for a limited budget. Option D is wrong because cyber insurance does not reduce the likelihood or impact of a malware infection; it only provides financial compensation after a loss, which may not cover all costs (e.g., reputational damage, operational downtime) and often requires proof of basic security controls.

428
MCQmedium

A company plans to deploy an AI-based customer service chatbot that processes personal data. What risk should be identified as the highest priority?

A.Data privacy risk
B.Vendor lock-in risk
C.Model accuracy risk
D.Regulatory compliance risk
AnswerA

Processing personal data introduces significant privacy risks under regulations like GDPR, requiring immediate identification.

Why this answer

Processing personal data through an AI chatbot directly introduces data privacy risk as the highest priority because the system will collect, store, and potentially expose sensitive information (e.g., names, contact details, payment data). Under regulations like GDPR or CCPA, any breach or unauthorized access to this data can result in severe fines and reputational damage. While other risks exist, privacy risk is immediate and fundamental to the chatbot's operation.

Exam trap

ISACA often tests the distinction between a root cause risk (data privacy) and its downstream consequence (regulatory compliance), leading candidates to mistakenly select regulatory compliance risk as the highest priority.

How to eliminate wrong answers

Option B is wrong because vendor lock-in risk is a strategic or operational concern, not an immediate high-priority risk when personal data is involved; it does not directly threaten data confidentiality or integrity. Option C is wrong because model accuracy risk affects chatbot performance and user experience, but it does not inherently expose personal data or violate privacy regulations. Option D is wrong because regulatory compliance risk is a consequence of failing to manage privacy risk, not the root risk itself; the primary risk is the unauthorized processing or exposure of personal data.

429
MCQmedium

An incident occurs due to a control that was thought to be automated but was actually manual. The risk register did not reflect this. What is the MOST likely root cause?

A.Insufficient control monitoring and verification
B.Inadequate risk assessment methodology
C.Poorly designed controls
D.Lack of management support for risk management
AnswerA

Control operation was not verified against documentation.

Why this answer

The correct answer is D. The discrepancy between documentation and reality indicates a failure in control monitoring. Option A is too narrow; option B is unrelated; option C is possible but less direct.

430
Drag & Dropmedium

Sequence the steps for developing a disaster recovery plan (DRP).

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

DRP development begins with BIA, prioritization, strategy selection, documentation, and testing.

431
MCQeasy

During a quarterly control review, the risk team discovers that a key manual approval control was bypassed in 15% of transactions due to a recent process change. What is the FIRST action the risk practitioner should take?

A.Restore the original control process immediately.
B.Conduct a root cause analysis to determine why the bypass occurred.
C.Update the risk register to reflect the increased residual risk.
D.Escalate to senior management with a recommendation for disciplinary action.
AnswerB

Root cause analysis informs the most effective remediation.

Why this answer

Option D is correct because understanding the root cause of the bypass is essential before deciding on corrective actions. Option A is wrong because restoring the control without analysis may not address the underlying process change. Option B is wrong because escalating without analysis may not provide sufficient context.

Option C is wrong because updating the risk register is important but not the first action.

432
MCQmedium

Refer to the exhibit. An organization has identified vulnerabilities on a critical server. The risk owner has limited resources and can remediate only one finding this quarter. Based on the information provided, which approach is the most appropriate risk assessment decision?

A.Remediate both findings by reallocating budget from another project.
B.Remediate the SSL/TLS certificate vulnerability first, as it affects a critical service and has a higher severity.
C.Remediate the SSH vulnerability first because it is easier to fix (upgrade OpenSSH).
D.Accept both risks because they are low and medium severity, and resources are limited.
AnswerB

This prioritizes the higher-risk finding on a critical server, making the best use of limited resources.

Why this answer

Option B is correct because the SSL/TLS certificate vulnerability affects a critical service (likely HTTPS) and has a higher severity rating, making it the most urgent risk to address given limited resources. Risk assessment prioritizes remediating vulnerabilities that pose the greatest threat to critical business functions, even if another finding is easier to fix. The risk owner should allocate the single remediation slot to the highest-severity vulnerability on a critical server to maximize risk reduction.

Exam trap

The trap here is that candidates often choose the easiest fix (Option C) or assume budget reallocation is always possible (Option A), failing to recognize that risk assessment prioritization must be based on severity and business impact, not remediation effort or resource flexibility.

How to eliminate wrong answers

Option A is wrong because it violates the constraint of limited resources by suggesting reallocation of budget from another project, which is not an option presented in the scenario and would introduce additional risk and approval overhead. Option C is wrong because it prioritizes ease of remediation (upgrading OpenSSH) over severity and business impact, which contradicts the risk assessment principle of addressing the highest-risk findings first. Option D is wrong because accepting both risks is inappropriate when one vulnerability is high severity and affects a critical service; risk acceptance should only be considered for low-severity findings with minimal business impact, not for critical server vulnerabilities.

433
MCQhard

GlobalTech Inc., a multinational corporation, is planning to migrate its customer data to a new cloud platform. The migration involves transferring sensitive personally identifiable information (PII) from an on-premises database to a cloud-based CRM. The risk manager conducted a risk assessment and identified several risks, including unauthorized access during transit and residual data exposure due to misconfiguration. Mitigation controls include encryption in transit, encryption at rest, and strict access controls. The residual risk after mitigation is assessed as medium. The risk appetite statement defines that 'No data breach incidents resulting in regulatory fines exceeding $1 million are acceptable.' The estimated potential fine from a breach is $5 million with a likelihood of 2% after controls. The cost of additional controls to reduce likelihood to 0.5% is $500,000. The migrating team proposes to purchase cyber insurance with a $3 million coverage for $200,000 annual premium. The board of directors prefers to accept the residual risk to avoid additional costs. What should the risk manager do?

A.Advise the board to avoid the migration until all risks are eliminated.
B.Recommend purchasing cyber insurance to transfer the risk.
C.Accept the board's decision since the residual risk is medium.
D.Recommend implementing additional controls to reduce likelihood to 0.5%.
AnswerA

Avoidance is the only response that satisfies the risk appetite.

Why this answer

Option D is correct because the potential fine of $5 million exceeds the appetite threshold of $1 million, making the risk unacceptable. The proposed controls and insurance do not reduce the impact below $1 million. Avoidance is the only option that fully aligns with the risk appetite.

Options A, B, and C fail to bring the risk within appetite.

434
MCQhard

A risk manager is reviewing the risk register and notices that several risks have been identified as 'high' but no risk owner has been assigned. Which of the following is the MOST appropriate action to ensure proper risk identification going forward?

A.Provide training to risk owners on their responsibilities.
B.Assign risk owners after the risk assessment is completed.
C.Conduct an audit of the risk identification process.
D.Update the risk identification policy to mandate that risk owners be identified during the initial risk identification phase.
AnswerD

Policy ensures risk ownership is established at identification time.

Why this answer

Option D is correct because the risk identification phase should include assigning risk owners to ensure accountability from the outset. Without a risk owner, identified risks cannot be properly managed, monitored, or escalated. Mandating owner assignment during initial identification embeds ownership into the process, preventing gaps in risk governance.

Exam trap

The trap here is that candidates often choose an audit (Option C) as a corrective action, but the question asks for the MOST appropriate action to ensure proper risk identification going forward, which requires a preventive policy change, not a retrospective review.

How to eliminate wrong answers

Option A is wrong because providing training to risk owners assumes they have already been assigned, but the core issue is that no owners exist for high risks; training does not solve the missing assignment. Option B is wrong because assigning risk owners after the risk assessment is completed delays accountability and violates the principle that owners should be identified during risk identification to enable timely response planning. Option C is wrong because conducting an audit of the risk identification process is a detective control that identifies past failures but does not proactively ensure proper identification going forward; it does not mandate owner assignment.

435
MCQeasy

A recent security assessment identified that a critical web application is vulnerable to SQL injection due to unpatched software. The vendor has released a security patch. Which risk response is most appropriate?

A.Mitigate by applying the patch
B.Avoid by taking the application offline
C.Accept the risk
D.Transfer via insurance
AnswerA

Patches remove the vulnerability.

Why this answer

Option A is correct because applying the patch mitigates the vulnerability directly. Options B, C, and D are less effective.

436
MCQhard

An organization uses a quantitative risk analysis method. The annualized loss expectancy (ALE) for a specific risk is calculated as $500,000. The cost of implementing a control is $150,000 per year, and it is expected to reduce the ALE by 80%. What is the net benefit of implementing the control?

A.$50,000
B.$400,000
C.$250,000
D.$350,000
AnswerC

Correct calculation of net benefit.

Why this answer

The current ALE is $500,000. An 80% reduction means the ALE decreases by $400,000, resulting in a new ALE of $100,000. The annual control cost is $150,000.

The net benefit is the reduction in ALE ($400,000) minus the control cost ($150,000), which equals $250,000. Option C is correct because it correctly calculates the net benefit as the risk reduction minus the control cost.

Exam trap

The trap here is that candidates often confuse the gross reduction in ALE ($400,000) with the net benefit, forgetting to subtract the annual control cost, leading them to select Option B.

How to eliminate wrong answers

Option A is wrong because $50,000 would result from incorrectly subtracting the control cost from the new ALE ($100,000 - $150,000 = -$50,000) or miscomputing the reduction. Option B is wrong because $400,000 is the gross reduction in ALE, not the net benefit after subtracting the $150,000 control cost. Option D is wrong because $350,000 would result from subtracting the control cost from the original ALE ($500,000 - $150,000) or from incorrectly calculating the reduction as 80% of the control cost.

437
MCQeasy

A financial institution is selecting a risk assessment methodology for evaluating cybersecurity risks across its critical systems. Which of the following is the PRIMARY consideration when choosing between qualitative and quantitative approaches?

A.The skill level of the risk assessment team
B.The organization's risk appetite statement
C.Compliance with regulatory requirements
D.Availability of reliable numerical data for risk factors
AnswerD

Quantitative analysis relies on numerical data; if unavailable, qualitative is preferred.

Why this answer

The choice between qualitative and quantitative risk assessment hinges on the availability of reliable numerical data. Quantitative methods require precise, objective data (e.g., asset values, historical loss frequencies, exposure factors) to compute metrics like Annualized Loss Expectancy (ALE). Without such data, the results would be misleading, making qualitative approaches (using ordinal scales and expert judgment) more appropriate.

This is the primary technical gate, as it directly determines the feasibility and validity of the quantitative model.

Exam trap

The trap here is that candidates confuse 'primary consideration' with 'most important factor overall' and pick regulatory compliance (C), but the question specifically asks for the consideration that determines the choice between the two methodologies, which is data availability.

How to eliminate wrong answers

Option A is wrong because while team skill affects execution, it is not the primary consideration; a skilled team can adapt to either methodology, but the data foundation must exist first. Option B is wrong because the risk appetite statement guides risk acceptance thresholds, not the selection of a methodology; both qualitative and quantitative outputs can be mapped to appetite. Option C is wrong because regulatory requirements typically mandate a risk assessment process (e.g., NIST CSF, ISO 27001) but do not prescribe a specific methodology (qualitative vs. quantitative); compliance can be achieved with either.

438
MCQmedium

A multinational corporation has recently experienced a significant increase in phishing attacks targeting its employees. The attacks have caused several data breaches, resulting in regulatory fines and reputational damage. The organization has implemented security awareness training for all employees, but the number of successful attacks remains high. Additionally, the organization's risk appetite for cybersecurity incidents is Low. The CRO has asked you to recommend a risk response. You have the following options: A. Accept the risk because the training has reduced the likelihood, and further controls are too expensive. B. Transfer the risk by outsourcing all email and security operations to a managed security service provider (MSSP). C. Implement technical controls such as advanced email filtering and multi-factor authentication (MFA) to reduce the likelihood and impact of phishing attacks. D. Avoid the risk by discontinuing the use of email for business communications. Which course of action is most appropriate given the organization's risk appetite and the current situation?

A.Avoid the risk by discontinuing the use of email for business communications.
B.Accept the risk because the training has reduced the likelihood, and further controls are too expensive.
C.Implement technical controls such as advanced email filtering and multi-factor authentication (MFA) to reduce the likelihood and impact of phishing attacks.
D.Transfer the risk by outsourcing all email and security operations to a managed security service provider (MSSP).
AnswerC

Correct: Technical controls directly reduce likelihood and impact, aligning with low risk appetite.

Why this answer

Option C is correct because implementing technical controls like advanced email filtering (e.g., SPF, DKIM, DMARC validation) and multi-factor authentication (MFA) directly reduces both the likelihood and impact of phishing attacks. Given the organization's low risk appetite for cybersecurity incidents, this risk mitigation approach aligns with the need to lower residual risk to an acceptable level, especially since training alone has proven insufficient.

Exam trap

The trap here is that candidates may choose Option B (transfer) thinking outsourcing removes all risk, but in reality, the organization retains accountability for breaches and regulatory fines, making mitigation (Option C) the most appropriate response given the low risk appetite.

How to eliminate wrong answers

Option A is wrong because accepting the risk contradicts the organization's stated low risk appetite for cybersecurity incidents, and the training has not reduced the likelihood of successful attacks. Option B is wrong because transferring risk to an MSSP does not eliminate the organization's residual liability for regulatory fines and reputational damage, and the MSSP's controls may not fully align with the low risk appetite. Option D is wrong because avoiding the risk by discontinuing email is impractical for a multinational corporation, as email is a critical business communication channel, and this response would cause severe operational disruption without addressing the root cause of phishing.

439
Multi-Selecteasy

Which TWO of the following are examples of external risk identification sources? (Choose two.)

Select 2 answers
A.Incident response reports from the security operations center
B.Regulatory bulletins from government agencies
C.Internal vulnerability scan reports
D.Threat intelligence feeds from industry sources
E.Industry benchmarking reports
AnswersB, D

External compliance requirements.

Why this answer

Regulatory bulletins from government agencies (Option B) are external risk identification sources because they originate outside the organization and provide authoritative information on compliance requirements, legal changes, and mandated controls. Threat intelligence feeds from industry sources (Option D) are also external, as they aggregate data on emerging threats, vulnerabilities, and attack patterns from third-party vendors or open-source communities, helping organizations proactively adjust defenses.

Exam trap

The trap here is that candidates often confuse internal operational reports (like incident response or vulnerability scans) with external sources, failing to recognize that 'external' means information originating outside the organization's own systems and processes.

440
Multi-Selectmedium

Which THREE of the following are key considerations when selecting a risk response option?

Select 3 answers
A.Cost-benefit analysis of controls
B.Impact of the risk without controls
C.Risk appetite of the organization
D.Current control effectiveness
E.Legal and regulatory requirements
AnswersA, C, E

Cost-effectiveness is crucial.

Why this answer

Options A, C, and D are correct. Risk appetite determines acceptable level. Cost of control vs benefit is essential.

Regulatory requirements cannot be ignored. Option B is wrong because current controls are not a selection criterion but part of assessment. Option E is wrong because impact without likelihood gives incomplete view.

441
MCQhard

A financial institution is implementing a new risk monitoring tool that aggregates data from multiple sources. The tool is expected to provide real-time dashboards for risk committees. However, during user acceptance testing, the dashboards show inconsistent data due to time zone differences across sources. What is the best approach to resolve this?

A.Modify the dashboard to display each source's local time separately.
B.Ask each source to adjust their time zone to the corporate headquarters time zone.
C.Standardize all timestamps to Coordinated Universal Time (UTC) during data ingestion.
D.Use the time zone of the majority of sources and convert others.
AnswerC

Best practice for time normalization.

Why this answer

Option C is correct because standardizing all timestamps to Coordinated Universal Time (UTC) during data ingestion ensures a single, unambiguous reference point for all aggregated data. This eliminates the root cause of inconsistency—differing local time zones—at the point of data entry, allowing the real-time dashboards to display consistent, comparable metrics regardless of the source's geographic location. This approach aligns with the principle of normalizing data at the earliest stage of the data pipeline, which is a fundamental practice in risk monitoring and reporting.

Exam trap

The trap here is that candidates often choose Option A, thinking that displaying local times separately is a 'user-friendly' solution, but they fail to recognize that the core requirement is consistent, comparable data for risk committees, not individual source readability.

How to eliminate wrong answers

Option A is wrong because displaying each source's local time separately does not resolve the inconsistency; it merely exposes the problem, making it impossible for risk committees to compare data across sources in a unified, real-time view. Option B is wrong because asking each source to adjust their time zone to corporate headquarters time is impractical, error-prone, and introduces a single point of failure; it also fails to account for daylight saving time changes and does not scale across multiple time zones. Option D is wrong because using the time zone of the majority of sources and converting others introduces bias and still leaves a subset of data with potential conversion errors, especially during daylight saving transitions, and does not guarantee consistency across all sources.

442
MCQeasy

A small e-commerce company has identified a high-risk vulnerability in its payment processing system that could expose customer credit card data. The IT team recommends immediately patching the system, but the patch requires a 4-hour downtime during peak sales hours. The risk manager proposes accepting the risk until the next scheduled maintenance window in two weeks. The CEO is concerned about potential fines from PCI DSS non-compliance. What is the BEST course of action?

A.Delay the patch until the next maintenance window but document the risk acceptance with CEO sign-off.
B.Accept the risk and schedule the patch during the next maintenance window as originally planned.
C.Apply the patch immediately during peak hours, accepting the revenue loss from downtime.
D.Implement a compensating control (e.g., web application firewall) and schedule the patch during off-peak hours within 48 hours.
AnswerD

Compensating controls reduce risk while allowing a timely patch without peak-hour disruption.

Why this answer

Option C is correct because it balances the need to address PCI DSS compliance with business continuity. Implementing compensating controls reduces risk while avoiding peak-hour downtime. Option A is wrong because accepting risk ignores compliance obligations.

Option B is wrong because it prioritizes compliance over business impact with excessive downtime. Option D is wrong because postponing until the next window leaves high risk unaddressed.

443
MCQeasy

During a control monitoring review, the auditor finds that a control designed to detect unauthorized access has not triggered any alerts in six months. What should the risk practitioner do first?

A.Document the lack of alerts as evidence of effectiveness.
B.Redesign the control with different parameters.
C.Test the control to ensure it is functioning correctly.
D.Increase the frequency of monitoring.
AnswerC

Verifies control effectiveness.

Why this answer

The absence of alerts does not automatically confirm that the control is working; it could indicate that the control has failed silently or that the detection logic is misconfigured. The risk practitioner must first test the control (e.g., by simulating an unauthorized access attempt) to verify that it can actually detect and alert on violations. Only after confirming correct functionality can the lack of alerts be interpreted as evidence of effectiveness.

Exam trap

The trap here is that candidates assume a lack of alerts equals a lack of incidents, rather than recognizing that it could indicate a control failure, and they jump to redesign or increase monitoring without first validating the control's operational state.

How to eliminate wrong answers

Option A is wrong because documenting the lack of alerts as evidence of effectiveness assumes the control is operational without verification, which ignores the possibility of a silent failure (e.g., a broken SIEM rule or a disabled detection agent). Option B is wrong because redesigning the control with different parameters is premature and wasteful; the issue may be a simple configuration error or a false negative, not a fundamental design flaw. Option D is wrong because increasing monitoring frequency does not address the root cause—if the control is not detecting unauthorized access, more frequent checks will only produce more false negatives or miss the same failures.

444
MCQhard

A multinational corporation is identifying risks associated with cross-border data transfers. Which regulation's risk identification requirements are most relevant?

A.PCI DSS
B.GDPR
C.HIPAA
D.SOX
AnswerB

GDPR requires risk assessments for international data transfers.

Why this answer

The General Data Protection Regulation (GDPR) is the most relevant regulation for risk identification in cross-border data transfers because it explicitly governs the transfer of personal data from the European Economic Area (EEA) to third countries. GDPR requires organizations to identify and assess risks related to adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and potential data localization conflicts. This regulation directly addresses the legal and technical risks of moving data across borders, such as exposure to differing privacy laws and surveillance regimes.

Exam trap

The trap here is that candidates often confuse PCI DSS or HIPAA as relevant because they involve sensitive data, but they lack the specific cross-border transfer risk identification requirements that GDPR mandates, leading to an incorrect choice based on data sensitivity rather than regulatory scope.

How to eliminate wrong answers

Option A is wrong because PCI DSS focuses on protecting cardholder data within payment card transactions and does not specifically address cross-border data transfer risks or require adequacy assessments for international data flows. Option C is wrong because HIPAA governs protected health information (PHI) within the United States and does not impose cross-border transfer risk identification requirements for data leaving the U.S. jurisdiction. Option D is wrong because SOX mandates internal controls over financial reporting and does not contain provisions for cross-border data transfer risk identification or data protection adequacy mechanisms.

445
MCQhard

Refer to the exhibit. Which type of attack is MOST likely indicated by these log entries?

A.SQL injection
B.Cross-site scripting (XSS)
C.Cross-site request forgery (CSRF)
D.Brute-force or credential stuffing
AnswerD

Duplicate entry error and login success indicate multiple attempts.

Why this answer

Option C is correct because the duplicate entry error for 'admin' combined with successful login suggests a brute-force or credential stuffing attack where an attacker tries multiple passwords. Option A is wrong because SQL injection would show different errors. Option B is wrong because XSS appears in output.

Option D is wrong because CSRF lacks session manipulation.

446
Multi-Selecteasy

A company is designing its risk and control monitoring program. Which TWO of the following are key attributes of effective monitoring?

Select 2 answers
A.All controls should be monitored at the same frequency.
B.Monitoring should only be performed by external auditors.
C.Monitoring results should be communicated to stakeholders.
D.Monitoring should be independent of the control owner.
E.Monitoring frequency should be determined by control criticality.
AnswersC, E

Communication enables informed decision-making.

Why this answer

Options A and C are correct. A: Monitoring frequency should be risk-based (critical controls more frequent). C: Results must be communicated to stakeholders to drive action.

B is wrong because not all controls need same frequency. D is wrong because internal teams can monitor. E is wrong because monitoring can be performed by control owners if properly designed.

447
Matchingmedium

Match each risk analysis formula to its component.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Asset value × exposure factor

Annual frequency of occurrence

SLE × ARO

Percentage of asset lost per incident

Why these pairings

Quantitative risk analysis uses these formulas to calculate expected loss.

448
Multi-Selecteasy

Which TWO of the following factors should be considered when determining the frequency of control monitoring?

Select 2 answers
A.The cost of monitoring relative to control cost.
B.The number of IT projects in progress.
C.The preferences of the external auditor.
D.The criticality of the control to risk mitigation.
E.The inherent risk level of the process.
AnswersD, E

Critical controls need more frequent monitoring.

Why this answer

Option A and C are correct because risk level and control criticality drive frequency. Option B is wrong because monitoring frequency should align with risk, not necessarily cost savings. Option D is wrong because it's about control, not IT projects.

Option E is wrong because auditor recommendations are secondary.

449
MCQhard

A financial institution is redesigning its control monitoring program to comply with a new regulatory requirement that mandates near-real-time monitoring of high-risk transactions. The current system performs batch processing daily. Which approach BEST meets the requirement while minimizing operational impact?

A.Use manual reviews of high-risk transactions by compliance officers within 24 hours.
B.Implement a real-time monitoring solution that only processes transactions flagged as high-risk based on predefined criteria.
C.Replace batch processing with a fully real-time system for all transactions.
D.Increase batch processing frequency from daily to hourly.
AnswerB

Targeted real-time monitoring meets requirement efficiently.

Why this answer

Option A is correct because implementing a parallel real-time stream for high-risk transactions directly meets the requirement without affecting existing batch processing. Option B is wrong because increasing batch frequency may still not be real-time. Option C is wrong because replacing batch with real-time for all transactions is costly and risky.

Option D is wrong because manual review is not near-real-time.

450
MCQmedium

Refer to the exhibit. What does this log entry indicate about the monitoring process?

A.The monitoring process lacks manual validation.
B.The monitoring process has a high false positive rate.
C.The monitoring process includes appropriate categorization and response.
D.The monitoring process is effective because the alert was automatically blocked.
AnswerC

The process steps indicate proper triage, escalation, and forensic analysis.

Why this answer

Option C is correct. The log shows automated detection, blocking, escalation to SOC, and analyst review, indicating a well-defined process. Option A is not complete because blocking alone does not confirm process effectiveness.

Option B is not supported because one false positive does not indicate a high rate. Option D is wrong because manual validation occurred.

Page 5

Page 6 of 7

Page 7

All pages