Certified in Risk and Information Systems Control CRISC (CRISC) — Questions 451500

500 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
MCQmedium

An organization recently experienced a data breach due to a misconfigured cloud storage bucket. As part of the IT risk assessment, which control should be prioritized to prevent recurrence?

A.Require management approval for all cloud storage changes.
B.Implement mandatory annual security awareness training for all employees.
C.Increase the frequency of third-party penetration testing.
D.Deploy automated cloud configuration scanning and remediation tools.
AnswerD

Automated scanning detects and often corrects misconfigurations in real-time, directly mitigating the root cause.

Why this answer

Option D is correct because automated cloud configuration scanning and remediation tools directly address the root cause of a misconfigured cloud storage bucket by continuously monitoring cloud infrastructure against security baselines (e.g., CIS benchmarks) and automatically correcting deviations. This prevents recurrence by catching misconfigurations in real time, rather than relying on manual approval processes or periodic testing that may miss transient changes.

Exam trap

The trap here is that candidates often choose Option A (management approval) because it seems like a strong administrative control, but CRISC emphasizes that preventive technical controls—especially automated ones—are prioritized over manual processes for recurring technical risks like cloud misconfigurations.

How to eliminate wrong answers

Option A is wrong because requiring management approval for all cloud storage changes introduces a manual bottleneck that does not prevent misconfigurations from being deployed; it only adds a review step that may still miss technical misconfigurations, especially in dynamic cloud environments with Infrastructure as Code (IaC). Option B is wrong because mandatory annual security awareness training, while valuable for general security hygiene, does not address the specific technical failure of a misconfigured cloud bucket—training cannot prevent automated or scripted misconfigurations that bypass human interaction. Option C is wrong because increasing the frequency of third-party penetration testing provides only periodic snapshots of security posture and cannot detect or remediate misconfigurations that occur between tests; it is a detective control, not a preventive one.

452
MCQmedium

A company's risk monitoring report shows that a key risk indicator (KRI) has exceeded the threshold for three consecutive months. What is the MOST appropriate action?

A.Conduct a root cause analysis and implement corrective actions.
B.Wait for the KRI to return to normal on its own.
C.Raise the threshold to avoid future breaches.
D.Implement temporary manual controls.
AnswerA

Addresses the cause of the KRI breach.

Why this answer

A KRI that has exceeded its threshold for three consecutive months indicates a persistent risk condition, not a transient anomaly. The most appropriate action is to conduct a root cause analysis to identify the underlying issue and implement corrective actions to bring the risk back within acceptable levels. This aligns with the CRISC domain of Risk and Control Monitoring and Reporting, which emphasizes proactive remediation over passive observation or threshold manipulation.

Exam trap

The trap here is that candidates may confuse a persistent KRI breach with a temporary spike and choose to wait (Option B) or adjust the threshold (Option C), failing to recognize that the CRISC framework mandates investigation and corrective action for sustained deviations.

How to eliminate wrong answers

Option B is wrong because waiting for the KRI to return to normal on its own ignores the persistent nature of the breach and assumes a self-correcting mechanism, which is not a valid risk management strategy. Option C is wrong because raising the threshold to avoid future breaches is a form of risk acceptance without justification and undermines the integrity of the KRI as an early warning indicator. Option D is wrong because implementing temporary manual controls without first understanding the root cause may address symptoms but not the underlying risk, and manual controls often introduce operational inefficiencies and are not sustainable.

453
MCQmedium

Refer to the exhibit. What risk is most directly indicated by this log entry?

A.External attack
B.Misconfigured firewall
C.Unauthorized access attempt
D.Insider threat
AnswerC

An internal device attempting RDP to another internal device without apparent authorization indicates a potential unauthorized access attempt.

Why this answer

The log entry shows a repeated 'Failed password' event for user 'root' from IP 10.10.10.10 via SSH. This directly indicates an unauthorized access attempt, as someone is trying to authenticate with incorrect credentials. The source IP is external to the trusted network, and the failure count suggests a brute-force or password guessing attack.

Exam trap

The trap here is that candidates see an external IP and immediately think 'external attack' (Option A), but the question asks for the risk 'most directly indicated' — which is the specific unauthorized access attempt, not the general category of attack.

How to eliminate wrong answers

Option A is wrong because while the source IP is external, the log does not show any exploit, malware, or successful breach — it only shows failed authentication attempts, so 'external attack' is too broad and not directly indicated. Option B is wrong because a misconfigured firewall would typically permit or deny traffic incorrectly (e.g., allowing inbound SSH when it should be blocked), but the log shows the firewall is correctly allowing SSH and the authentication is failing, not a firewall rule issue. Option D is wrong because an insider threat would originate from an internal IP or authenticated user abusing privileges; the source IP 10.10.10.10 is external and the user 'root' is not yet authenticated, so this is not an insider action.

454
MCQmedium

During a merger and acquisition (M&A) due diligence, the acquiring company's IT risk manager is tasked with identifying risks in the target's IT environment. Which of the following would be the MOST effective technique to uncover hidden risks?

A.Analyze the target's existing risk register
B.Perform an on-site technical assessment and interview key IT staff
C.Review the target's IT policies and procedures
D.Conduct a network vulnerability scan
AnswerB

Direct assessment uncovers undocumented controls and cultural issues.

Why this answer

Option D is correct because an on-site technical assessment and interviews allow the risk manager to observe actual controls, uncover undocumented systems, and assess security culture. Option A is incorrect because reviewing only high-level policies may miss operational gaps. Option B is incorrect because a vulnerability scan does not cover process or governance risks.

Option C is incorrect because the target's own risk register may be incomplete or biased.

455
Multi-Selectmedium

A company is evaluating its control monitoring program. Which TWO of the following are key elements of an effective control monitoring framework? (Choose two.)

Select 2 answers
A.Integration with performance management.
B.Periodic review of KRI thresholds.
C.Use of statistical sampling for all tests.
D.Automated alerts for all control failures.
E.Clearly defined roles and responsibilities.
AnswersB, E

Thresholds must be reviewed to remain aligned with risk appetite.

Why this answer

Options A and C are correct. Clearly defined roles and responsibilities ensure accountability, and periodic review of KRI thresholds ensures the monitoring remains relevant. Option B is wrong because not all failures need automated alerts; some may be manual.

Option D is wrong because integration with performance management is not a core element. Option E is wrong because statistical sampling is just one method and not always appropriate.

456
Matchingmedium

Match each information security objective to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Data is accessible only to authorized parties

Data is accurate and complete

Data is accessible when needed

Actions can be traced to individuals

Why these pairings

The CIA triad plus accountability are core security principles.

457
Multi-Selectmedium

Which TWO of the following are examples of risk transfer? (Select TWO.)

Select 2 answers
A.Outsourcing IT operations to a third party
B.Implementing encryption
C.Accepting residual risk
D.Buying cyber insurance
E.Conducting security training
AnswersA, D

Outsourcing transfers the risk of IT operations to the vendor.

Why this answer

Options A and B are correct because outsourcing and insurance both shift financial or operational risk to another party.

458
MCQhard

A healthcare organization is migrating its electronic health records (EHR) system to a cloud provider. The risk assessment shows that the cloud provider has strong security certifications (e.g., SOC 2 Type II, ISO 27001). However, the organization's legal team is concerned about data sovereignty laws that require patient data to remain within the country. The cloud provider's data centers are located in three regions: one in-country, and two outside. The project manager proposes using only the in-country data center. The IT director warns that this will increase latency and reduce redundancy. The risk manager must propose a response. Which is the BEST option?

A.Accept the legal risk because the cloud provider's certifications are sufficient, and document the decision.
B.Use all three data centers with automatic failover, and rely on the cloud provider's contractual guarantees of data residency.
C.Configure the EHR system to store primary data in the in-country data center, and use the other two centers for disaster recovery with data residency controls ensuring data does not leave the country unless encrypted and with legal approval.
D.Use only the in-country data center and accept the increased availability risk.
AnswerC

This balances compliance, availability, and redundancy.

Why this answer

Option C is correct because it provides a balanced approach: use the in-country data center for primary storage to comply with data sovereignty, but use the other data centers for disaster recovery with data residency controls. Option A is wrong because using only one data center increases availability risk. Option B is wrong because direct cloud replication to outside centers violates data sovereignty.

Option D is wrong because accepting the legal risk is unacceptable given the regulatory environment.

459
Multi-Selecthard

Which THREE of the following are commonly used techniques for identifying IT risks in a large enterprise?

Select 3 answers
A.Cost-benefit analysis
B.Brainstorming sessions
C.Delphi technique
D.Risk questionnaires
E.SWOT analysis
AnswersB, D, E

Brainstorming is a common risk identification technique.

Why this answer

Options A, C, and D are correct. SWOT analysis (A) can identify risk-related strengths, weaknesses, opportunities, threats. Brainstorming (C) is a collaborative technique.

Risk questionnaires (D) gather input from many stakeholders. Option B (Delphi technique) is used for consensus, not initial identification. Option E (cost-benefit analysis) is for evaluating controls, not identifying risks.

460
MCQmedium

A risk manager is evaluating the effectiveness of a set of key risk indicators (KRIs). Which TWO of the following are characteristics of effective KRIs?

A.They are complex and difficult to measure
B.They are quantifiable and based on reliable data
C.They are lagging indicators that reflect past events
D.They are leading indicators that provide early warning of potential risk events
E.They focus on a very narrow aspect of risk
AnswerB, D

Quantifiable KRIs with reliable data ensure objective monitoring.

Why this answer

Options B and D are correct. Effective KRIs should be predictive (leading) and quantifiable. Option A is wrong because lagging indicators are less useful for proactive management.

Option C is wrong because complex KRIs are difficult to communicate and monitor. Option E is wrong because narrow scope may miss broader risks.

461
MCQeasy

Based on the exhibit, which key risk indicator (KRI) would this log data be MOST useful for calculating?

A.Number of failed authentication attempts per hour.
B.Percentage of successful user logins.
C.Percentage of system uptime.
D.Number of unauthorized changes to system configurations.
AnswerA

Directly derived from failed login events.

Why this answer

Option C is correct because the log shows multiple failed login attempts from a single IP address, which is a direct indicator of possible brute force attacks. Option A is wrong because successful logins are not shown. Option B is wrong because the log does not show change activity.

Option D is wrong because it does not show system downtime.

462
MCQhard

Based on the exhibit, what is the MOST significant risk exposure?

A.The policy does not include deny statements, so all access is allowed
B.The AdminRole can access both buckets
C.Public access to the public-bucket with no restrictions
D.The anonymous access to the confidential-bucket
AnswerC

Anyone (Principal: *) can get objects from the public-bucket, posing a data leakage risk.

Why this answer

Option C is correct because public access to the public-bucket with no restrictions means that anyone on the internet can read, write, or delete objects in that bucket. This is the most significant risk exposure because it directly exposes data to unauthorized users without any authentication or authorization controls, violating the principle of least privilege and potentially leading to data breaches or data loss.

Exam trap

The trap here is that candidates may focus on the absence of deny statements (Option A) or the presence of admin access (Option B) as the primary risk, but the most significant exposure is the unrestricted public access to the public-bucket, which directly violates data confidentiality.

How to eliminate wrong answers

Option A is wrong because the absence of deny statements does not automatically allow all access; access control policies in AWS S3 are evaluated based on the combination of bucket policies, IAM policies, and ACLs, and the default is to deny all access unless explicitly allowed. Option B is wrong because the AdminRole having access to both buckets is not inherently a risk; it is a legitimate administrative privilege that is expected and can be managed with proper controls. Option D is wrong because anonymous access to the confidential-bucket is not indicated in the exhibit; the exhibit shows that the confidential-bucket has a policy that denies anonymous access, so this option describes a scenario that does not exist.

463
Matchingmedium

Match each risk management term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Risk level before controls are applied

Risk level after controls are applied

Amount of risk the organization is willing to accept

Acceptable deviation from risk appetite

Why these pairings

These terms are fundamental to understanding risk management.

464
MCQeasy

Refer to the exhibit. Which of the following is the MOST critical risk that should be addressed first?

A.SSH protocol version 1.0 on 192.168.1.10
B.RDP with weak encryption on 192.168.1.20
C.SMB signing not required on 192.168.1.20
D.Apache HTTP Server 2.2.3 on 192.168.1.10
AnswerA

Critical vulnerability should be addressed first.

Why this answer

Option A is correct because SSH version 1.0 is a critical vulnerability and should be prioritized. Option B is wrong because Apache 2.2.3 is high but not as critical. Option C is wrong because RDP weak encryption is medium.

Option D is wrong because SMB signing is medium.

465
MCQeasy

A company is conducting an IT risk assessment for the first time. Which of the following should be the FIRST step?

A.Identify all IT assets
B.Establish the risk assessment context
C.Analyze the likelihood and impact of threats
D.Implement mitigating controls
AnswerB

Establishing context is the initial step in the risk assessment process.

Why this answer

Before any risk assessment activities can begin, the organization must establish the context—defining the scope, risk appetite, criteria for risk evaluation, and the business objectives the assessment supports. Without this foundational step, subsequent identification of assets, threat analysis, or control implementation would lack alignment with business goals and could produce irrelevant or misleading results. This aligns with the ISACA Risk IT framework and the CRISC domain of IT Risk Assessment.

Exam trap

The trap here is that candidates often jump straight to identifying assets (Option A) because it seems like the most tangible first step, but they fail to recognize that without establishing context, the asset inventory may be scoped incorrectly or lack business alignment.

How to eliminate wrong answers

Option A is wrong because identifying all IT assets is a subsequent step that depends on knowing the scope and boundaries defined during context establishment; without context, asset identification may be incomplete or misaligned. Option C is wrong because analyzing likelihood and impact of threats occurs after threats and vulnerabilities have been identified, which itself follows context establishment and asset identification. Option D is wrong because implementing mitigating controls is a risk response activity that occurs only after risks have been assessed, evaluated, and a decision to treat them has been made.

466
MCQmedium

A company recently experienced a data breach due to an unpatched vulnerability in a public-facing web application. During the post-incident review, the IT risk manager notes that the vulnerability was identified by the vulnerability scanner six months ago but was not remediated because the patch required a critical database server restart. Which of the following is the BEST risk treatment decision to prevent a recurrence?

A.Ignore the vulnerability until the next maintenance window.
B.Escalate the risk to senior management for acceptance.
C.Implement a compensating control such as a web application firewall.
D.Accept the risk based on the low likelihood of exploitation.
AnswerC

A WAF can block exploitation attempts until a proper patch can be applied.

Why this answer

Option C is correct because implementing a web application firewall (WAF) as a compensating control provides virtual patching, blocking exploitation attempts at the application layer (e.g., SQL injection, path traversal) without requiring a database server restart. This directly addresses the root cause—the unpatched vulnerability—while avoiding the operational disruption that prevented the patch from being applied. A WAF can inspect HTTP/HTTPS traffic and filter malicious payloads based on signatures or behavioral rules, effectively reducing risk to an acceptable level until the next maintenance window.

Exam trap

The trap here is that candidates may confuse risk acceptance (Option D) with a valid treatment when the vulnerability has already been exploited, failing to recognize that a compensating control like a WAF is the only option that actively reduces risk without causing the operational disruption that prevented patching.

How to eliminate wrong answers

Option A is wrong because ignoring the vulnerability until the next maintenance window leaves the public-facing web application exposed to active exploitation, which contradicts the goal of preventing recurrence and violates the principle of timely risk treatment. Option B is wrong because escalating the risk to senior management for acceptance is a risk acceptance decision, not a risk treatment decision that actively reduces the likelihood or impact of exploitation; it merely formalizes inaction without adding any security controls. Option D is wrong because accepting the risk based on low likelihood is invalidated by the fact that the vulnerability was already exploited once, proving that the likelihood is not low and that the threat landscape is active.

467
MCQhard

During a risk assessment of a legacy system, the assessor finds that no control is currently in place. The inherent risk level is 'critical'. The residual risk will be:

A.Medium
B.Critical
C.High
D.Low
AnswerB

No controls mean residual risk remains critical.

Why this answer

Residual risk is the level of risk remaining after controls are applied. Since the scenario explicitly states that no control is currently in place, the residual risk remains identical to the inherent risk level, which is 'critical'. Therefore, the residual risk is also critical.

Exam trap

The trap here is that candidates may assume residual risk is always lower than inherent risk, forgetting that without any controls, residual risk equals inherent risk by definition.

How to eliminate wrong answers

Option A is wrong because 'Medium' would imply that some risk reduction has occurred, but with no controls applied, the risk cannot be lowered from critical to medium. Option C is wrong because 'High' suggests a partial reduction in risk, which is not possible when no control exists to mitigate the inherent critical risk. Option D is wrong because 'Low' would require effective controls to significantly reduce the risk, which is absent in this scenario.

468
Multi-Selecteasy

Which TWO of the following are primary sources of risk identification for IT projects?

Select 2 answers
A.Social media monitoring
B.Vendor marketing materials
C.Project documentation (e.g., scope, schedule, budget)
D.Stakeholder interviews
E.Industry benchmark reports
AnswersC, D

Project docs contain key risk information.

Why this answer

Project documentation such as scope, schedule, and budget is a primary source of risk identification because it defines the project's boundaries, constraints, and deliverables. Analyzing these documents helps identify risks related to scope creep, unrealistic timelines, or insufficient funding that could impact IT project success.

Exam trap

The trap here is that candidates often mistake external or secondary sources (like industry reports or social media) as primary risk identification sources, when in fact only project-specific documentation and direct stakeholder engagement are considered primary for IT projects.

469
MCQhard

A risk practitioner is asked to reduce the number of KRIs tracked from 50 to 20. Which KRIs should be prioritized for removal?

A.KRIs that have been consistently below threshold for two years
B.KRIs that are not directly mapped to any risk in the risk register
C.KRIs that require manual data collection
D.KRIs that have high volatility
AnswerB

Unmapped KRIs lack context and decision support.

Why this answer

The correct answer is B. KRIs that do not directly link to a risk in the risk register are likely not providing actionable information. Options A, C, and D describe KRIs that are useful for monitoring.

470
Multi-Selecthard

Which THREE of the following are valid risk identification methods according to ISACA's Risk IT Framework? (Select exactly 3.)

Select 3 answers
A.Segregation of duties
B.Scenario analysis
C.Risk acceptance
D.SWOT analysis
E.Brainstorming
AnswersB, D, E

Scenario analysis explores possible future events to identify risks.

Why this answer

Scenario analysis is a valid risk identification method under ISACA's Risk IT Framework because it involves developing hypothetical scenarios to identify potential threats and vulnerabilities that could lead to risk events. This technique helps organizations anticipate and prepare for plausible adverse situations by analyzing their impact on IT assets and business objectives.

Exam trap

The trap here is that candidates often confuse risk identification techniques with risk response or control activities, mistakenly selecting segregation of duties or risk acceptance as valid identification methods when they are actually part of risk mitigation and risk treatment processes.

471
MCQmedium

A retail company is assessing the risk of a POS malware attack. Which approach would BEST quantify the potential financial impact?

A.Vulnerability scanning and penetration testing
B.Annualized Loss Expectancy (ALE) calculation based on past incidents
C.Scenario analysis with input from business and IT stakeholders
D.Failure Mode and Effects Analysis (FMEA)
AnswerC

Scenario analysis provides tailored impact estimates.

Why this answer

Scenario analysis with input from business and IT stakeholders is the best approach because it allows the organization to model specific POS malware attack scenarios, incorporating both technical threat vectors (e.g., memory scraping of track data) and business context (e.g., PCI DSS fines, card reissuance costs, brand damage). This collaborative method produces a more accurate and contextualized financial impact estimate than purely historical or technical assessments, especially for emerging or evolving threats like POS malware.

Exam trap

The trap here is that candidates often choose B (ALE based on past incidents) because it appears quantitative and straightforward, but the question asks for the BEST approach to quantify potential financial impact for a specific threat (POS malware), where historical data is often sparse or irrelevant, making scenario analysis with stakeholder input more accurate and forward-looking.

How to eliminate wrong answers

Option A is wrong because vulnerability scanning and penetration testing identify technical weaknesses and exploit paths but do not quantify financial impact in monetary terms; they are risk identification tools, not impact quantification methods. Option B is wrong because Annualized Loss Expectancy (ALE) calculation based on past incidents assumes historical frequency and impact remain constant, which is unreliable for POS malware where attack vectors, detection capabilities, and regulatory penalties change rapidly; it also fails to account for unique business-specific factors. Option D is wrong because Failure Mode and Effects Analysis (FMEA) is a reliability engineering tool focused on identifying failure modes and their effects on system function, not on quantifying financial loss from a targeted cyberattack like POS malware; it lacks the business context and monetary valuation needed for financial impact assessment.

472
MCQmedium

A large retailer is implementing a new point-of-sale (POS) system. The project manager wants to identify risks related to payment card data security. Which risk identification technique would be MOST effective for this purpose?

A.Risk register review from past projects
B.Brainstorming session with the project team
C.Data Flow Diagram (DFD) review
D.SWOT analysis
AnswerC

A DFD shows how card data is processed, stored, and transmitted, highlighting risk points.

Why this answer

A Data Flow Diagram (DFD) review is most effective because it visually maps how payment card data moves through the POS system—from card swipe to authorization to storage—identifying exactly where data is at rest, in transit, or processed. This allows the team to pinpoint specific PCI DSS control gaps (e.g., unencrypted transmission, unnecessary retention) that other techniques might miss.

Exam trap

The trap here is that candidates often choose 'Brainstorming session with the project team' because it seems collaborative and proactive, but they fail to recognize that for technical data security risks, a structured, visual analysis like a DFD review is far more precise and complete.

How to eliminate wrong answers

Option A is wrong because a risk register from past projects captures generic historical risks but cannot reveal the unique data flows, integration points, or PCI DSS compliance gaps specific to this new POS system. Option B is wrong because a brainstorming session with the project team relies on subjective, unstructured input and may overlook subtle data-handling vulnerabilities that only a systematic diagram-based analysis can expose. Option D is wrong because SWOT analysis evaluates strengths, weaknesses, opportunities, and threats at a strategic level, not the granular technical details of payment data movement and storage required for PCI DSS risk identification.

473
MCQhard

A technology startup is developing a mobile payment application. During a risk identification workshop, the team identifies a risk that the application may not comply with Payment Card Industry Data Security Standard (PCI DSS) requirements. What is the BEST way to categorize this risk?

A.Compliance risk.
B.Strategic risk.
C.Operational risk.
D.Reputational risk.
AnswerA

Non-compliance with PCI DSS is a direct regulatory risk.

Why this answer

Non-compliance with PCI DSS is a direct violation of regulatory requirements, making it a compliance risk. For a mobile payment application handling cardholder data, PCI DSS mandates specific security controls (e.g., encryption of PAN, access controls, logging). Failure to meet these standards exposes the startup to fines, legal sanctions, and potential loss of the ability to process payments.

Exam trap

The trap here is that candidates confuse the primary risk category (compliance) with the potential business impact (reputational or operational), but CRISC expects the root cause—failure to meet a regulatory standard—to be classified as compliance risk.

How to eliminate wrong answers

Option B (Strategic risk) is wrong because strategic risk relates to high-level business decisions (e.g., entering a new market, choosing a technology stack) that affect long-term goals, not a specific regulatory mandate. Option C (Operational risk) is wrong because operational risk involves failures in day-to-day processes, systems, or human error (e.g., server downtime, transaction processing errors), not a compliance gap. Option D (Reputational risk) is wrong because reputational risk is a consequence of other risks (e.g., a data breach from non-compliance), not the primary categorization of the risk itself.

474
MCQmedium

Refer to the exhibit. If the control objective is to prevent unauthorized access via MFA, what does this test result indicate?

A.The control is ineffective because only 30 logins were sampled.
B.The control is fully effective.
C.The control is effective only if MFA is required for all users.
D.The control is effective for the sample but may not be for the population.
AnswerD

Test results apply only to the sample tested.

Why this answer

Option B is correct because the test result is based on a sample of 30 logins, so it indicates effectiveness for that sample but cannot guarantee effectiveness for the entire population. Option A is wrong because a single sample cannot prove full effectiveness. Option C is wrong because the sample size may be adequate statistically, but the result is limited.

Option D is wrong because the test does not assess the design requirement for all users; it tests operation.

475
Multi-Selectmedium

Which TWO are characteristics of inherent risk?

Select 2 answers
A.Based on the effectiveness of current controls
B.Used to determine control gap
C.Risk level before controls
D.Risk level after controls
E.Based on the assumption that no controls exist
AnswersC, E

Inherent risk is without controls.

Why this answer

Inherent risk is defined as the risk level that exists before any controls are applied or considered. It represents the raw, untreated risk exposure that an organization would face if no mitigating actions were in place. This concept is foundational in risk assessment because it establishes the baseline against which the effectiveness of controls is measured.

Exam trap

The trap here is that candidates often confuse inherent risk with residual risk, mistakenly thinking that inherent risk includes the effect of existing controls, which is a common misconception tested in CRISC questions.

476
MCQeasy

A company's control monitoring dashboard shows that a key control has been operating effectively for six months. However, a recent audit revealed a material weakness. Which of the following is the MOST likely reason?

A.The KRI thresholds were set incorrectly.
B.The control was not tested during the period.
C.The monitoring frequency was too low.
D.The control owner was not trained.
AnswerA

Incorrect thresholds can prevent detection of control failures, leading to a false effective status.

Why this answer

Option C is correct because if KRI thresholds are set too high, the monitoring system may not trigger alerts even when the control is failing, giving a false sense of effectiveness. Option A is wrong because the control was likely tested during the period. Option B is wrong because frequency is not the primary issue if thresholds are misaligned.

Option D is wrong because training affects operation, not monitoring thresholds.

477
MCQhard

A multinational corporation operates in 15 countries with decentralized control monitoring systems. Each regional office uses different tools and processes for monitoring operational risks. The corporate risk team has consolidated quarterly reports, but the board recently raised concerns about inconsistencies and late identification of emerging risks. A root cause analysis revealed that regional monitoring teams define key risk indicators (KRIs) differently and report on different timeframes. Additionally, there is no centralized platform to aggregate data. The risk manager must recommend a solution that balances local autonomy with global visibility. Which option is the most effective?

A.Create a policy requiring regional risk teams to follow the same KRI definitions and reporting schedule.
B.Implement a centralized risk and control monitoring platform that aggregates data and enforces common reporting standards.
C.Standardize monitoring tools across all regions globally.
D.Increase the frequency of board risk committee meetings to twice per month.
AnswerB

Provides global visibility while allowing local input; addresses root cause of inconsistency.

Why this answer

A centralized risk and control monitoring platform standardizes data and reporting while allowing local customization via configurable thresholds. Global standardization (A) might ignore local nuances; policy alone (C) doesn't enforce consistency; increasing meeting frequency (D) does not address data inconsistency.

478
MCQeasy

An organization purchases cyber insurance to cover potential losses from data breaches. This is an example of:

A.Risk Avoidance
B.Risk Transfer
C.Risk Mitigation
D.Risk Acceptance
AnswerB

Insurance is a classic example of risk transfer.

Why this answer

Purchasing cyber insurance transfers the financial risk of a data breach to the insurer, making it a classic example of risk transfer. In risk management, transfer shifts the impact of a loss to a third party (e.g., an insurance carrier) without eliminating the underlying threat or vulnerability. This aligns with the CRISC domain of Risk Response and Mitigation, where transfer is a distinct response strategy.

Exam trap

The trap here is that candidates confuse risk transfer with risk mitigation, thinking insurance reduces the likelihood of a breach, when in fact it only shifts the financial consequences.

How to eliminate wrong answers

Option A is wrong because risk avoidance would mean eliminating the activity that causes the risk (e.g., not storing any sensitive data), not insuring against it. Option C is wrong because risk mitigation involves implementing controls (e.g., encryption, firewalls) to reduce the likelihood or impact of a breach, not transferring financial liability. Option D is wrong because risk acceptance means formally acknowledging the risk and bearing the potential loss without purchasing insurance or implementing additional controls.

479
Matchingmedium

Match each compliance framework to its primary focus.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Information security management system

Cybersecurity risk management framework

Payment card data security

Healthcare data privacy and security

Why these pairings

Different frameworks address specific regulatory or industry requirements.

480
MCQmedium

An internal audit found that a control designed to prevent duplicate payments was bypassed in 5% of transactions. The control owner argues that the control is still effective because the bypass rate is low. What is the BEST response from a risk perspective?

A.Accept the bypass rate as within acceptable tolerance.
B.Document that the control is 95% effective and close the finding.
C.Investigate why bypasses occur and implement compensating controls.
D.Re-classify the control as a detective control instead of preventive.
AnswerC

Root cause analysis is needed.

Why this answer

Option B is correct because the root cause of bypasses must be addressed to ensure control reliability. Option A is wrong because accepting the bypass rate may increase risk. Option C is wrong because 95% effectiveness may not meet policy.

Option D is wrong because re-classifying is not addressing the issue.

481
MCQhard

You are the IT risk manager for a mid-sized e-commerce company that processes over 10,000 transactions per day. The company recently migrated its customer database from an on-premises SQL Server to a cloud-based PostgreSQL instance on AWS RDS. The database contains personally identifiable information (PII) including names, addresses, and credit card numbers (stored as encrypted tokens). The migration was performed by the DevOps team with minimal involvement from the security team. Two weeks after the migration, the company experienced a data breach where an attacker exfiltrated a subset of customer records. The forensic investigation revealed that the attacker exploited a misconfigured security group that allowed inbound traffic from the internet on port 5432 (PostgreSQL default port). Additionally, the database had a publicly accessible endpoint, and the master user password was weak (eight characters, no special characters). The attacker used a brute-force attack to guess the password. The security group has since been corrected, and the password has been changed to a strong one. The breach notification laws require reporting within 72 hours. The CEO wants to understand the root cause and prevent recurrence. As the risk manager, which of the following actions should you recommend as the MOST effective to prevent a similar incident?

A.Implement infrastructure-as-code (IaC) security scanning and policy enforcement in the CI/CD pipeline to prevent insecure configurations.
B.Deploy an intrusion detection system (IDS) to monitor database traffic for brute-force attempts.
C.Hire a dedicated database administrator to review all database configurations weekly.
D.Conduct quarterly security audits of cloud infrastructure configurations.
AnswerA

Automated enforcement prevents misconfigurations from being deployed.

Why this answer

Option C is correct because the root cause is the misconfigured security group and weak password, both of which stem from insufficient security review and lack of automated controls. Implementing a policy-as-code tool that enforces security group rules (e.g., no public access to databases) and password policies during deployment would prevent such misconfigurations. Option A is wrong because while a dedicated DBA could help, it does not address the process gap for automated enforcement.

Option B is wrong because quarterly reviews are too infrequent to catch misconfigurations quickly. Option D is wrong because IDS/IPS detects attacks but does not prevent misconfigurations.

482
Multi-Selecteasy

Which TWO of the following are key attributes of effective risk reporting?

Select 2 answers
A.Includes full risk register details
B.Only issued when a risk incident occurs
C.Provides actionable information for decision-makers
D.Tailored to the specific needs of the audience
E.Sent to all employees by email
AnswersC, D

Purpose of reporting.

Why this answer

The correct options are B and D. Risk reporting should be tailored to the audience (B) and actionable (D). A is incorrect because reporting should be regular, not only on incident.

C is too generic; E is about distribution, not content.

483
MCQeasy

An organization is designing a risk indicator monitoring program for its key financial risks. Which of the following is the BEST example of a key risk indicator (KRI) for credit risk?

A.Percentage of loans that are in default or non-performing.
B.Number of employees who completed cybersecurity training.
C.Percentage of network uptime over the past month.
D.Employee turnover rate in the finance department.
AnswerA

This directly measures credit risk.

Why this answer

A key risk indicator (KRI) for credit risk must directly measure the likelihood or impact of a borrower failing to meet their obligations. The percentage of loans that are in default or non-performing is a direct, quantitative measure of credit risk exposure, as it reflects the actual realization of credit losses. This aligns with the CRISC focus on monitoring risk levels to trigger timely responses.

Exam trap

The trap here is that candidates confuse KRIs with KPIs or operational metrics, selecting a generic performance measure (like training completion or uptime) instead of a risk-specific indicator that directly quantifies credit exposure.

How to eliminate wrong answers

Option B is wrong because the number of employees who completed cybersecurity training is a key performance indicator (KPI) for security awareness, not a KRI for credit risk; it measures activity, not the creditworthiness of borrowers. Option C is wrong because percentage of network uptime is an operational risk KRI related to IT availability, not a measure of credit risk. Option D is wrong because employee turnover rate in the finance department is a human resources metric that may indicate operational inefficiency but does not directly measure the probability of default or credit loss.

484
MCQmedium

A risk assessment reveals that a legacy system has a high likelihood of failure. The system is critical and cannot be replaced immediately. The company decides to implement manual overrides and additional monitoring. This is an example of:

A.Risk Transfer
B.Risk Mitigation
C.Risk Acceptance
D.Risk Avoidance
AnswerB

Manual overrides and monitoring reduce the likelihood or impact of failure.

Why this answer

Option A is correct because implementing controls reduces the risk, which is mitigation.

485
MCQeasy

During a risk assessment for a critical financial application, the IT risk manager identifies a vulnerability in the application's authentication module. The exploit would require authenticated access. Which risk rating is most appropriate if the vulnerability has a CVSS base score of 9.0, but the application is behind a strong firewall and requires two-factor authentication?

A.Medium, after considering the compensating controls
B.Low, because the application requires authenticated access
C.High, because CVSS base score is 9.0
D.Very high, due to the criticality of the application
AnswerA

Compensating controls reduce the likelihood of exploitation.

Why this answer

Option A is correct because the CVSS base score of 9.0 reflects the intrinsic severity of the vulnerability, but the final risk rating must incorporate compensating controls. The strong firewall and two-factor authentication (2FA) significantly reduce the likelihood of exploitation, as the attacker would need to bypass both network-level filtering and an additional authentication factor. In CRISC methodology, risk is a function of likelihood and impact; here, the controls lower the likelihood, resulting in a Medium residual risk rating despite the high base score.

Exam trap

The trap here is that candidates assume a high CVSS base score automatically dictates a High or Very High risk rating, ignoring the CRISC principle that risk must be evaluated after applying compensating controls and environmental modifiers.

How to eliminate wrong answers

Option B is wrong because requiring authenticated access does not automatically make the risk Low; the vulnerability still exists and could be exploited by an authenticated user, and the CVSS score already accounts for the attack vector (network) and complexity (low). Option C is wrong because the CVSS base score alone does not determine the final risk rating; it must be adjusted for environmental and compensating controls per the CVSS specification (e.g., modified attack vector, modified authentication). Option D is wrong because application criticality influences impact but not the final risk rating without considering likelihood; the compensating controls reduce the likelihood, so Very High is not appropriate.

486
MCQmedium

A risk register is being updated after a quarterly risk assessment. One risk has decreased in likelihood due to new controls. However, the risk score remains unchanged because the impact increased. What should the risk practitioner do?

A.Remove the risk from the register because it is under control
B.Recalculate the risk score using the new likelihood and impact values
C.Automatically accept the risk because likelihood decreased
D.Escalate to senior management for a new risk treatment plan
AnswerB

The risk score should be based on current likelihood and impact; if impact increased, the score may stay the same or increase.

Why this answer

The risk score is a function of both likelihood and impact. Even though new controls reduced likelihood, the increased impact means the overall risk level may remain unchanged. The correct action is to recalculate the risk score using the updated values to reflect the current risk posture accurately, as required by the risk assessment process.

Exam trap

The trap here is that candidates assume a decrease in likelihood automatically lowers the risk score, ignoring that a simultaneous increase in impact can offset that reduction, leading them to prematurely accept or escalate the risk without recalculating.

How to eliminate wrong answers

Option A is wrong because removing a risk from the register simply because it is 'under control' ignores the fact that the impact has increased, which could still result in an unacceptable residual risk; risks are removed only when they are fully mitigated or no longer relevant. Option C is wrong because automatically accepting a risk solely because likelihood decreased disregards the increased impact, which may push the risk beyond the organization's risk appetite; acceptance requires a formal decision based on the full risk profile. Option D is wrong because escalating to senior management for a new treatment plan is premature; the first step is to recalculate the risk score to determine if the risk level has actually changed, and only then decide if further treatment is needed.

487
MCQeasy

After a risk assessment, a company decides to stop using a third-party service that has high residual risk. This is an example of:

A.Risk Mitigation
B.Risk Avoidance
C.Risk Transfer
D.Risk Acceptance
AnswerB

Avoidance is the decision not to engage in the risk-prone activity.

Why this answer

Option C is correct because eliminating the use of the service removes the risk entirely, which is avoidance.

488
MCQhard

A SIEM event shows multiple failed logins followed by a successful login for the service account 'svc-backup'. The risk practitioner is evaluating the controls. Which finding is MOST significant?

A.The service account has excessive database privileges
B.The failed login events were not logged in real time
C.Failed logins indicate a possible brute force attack
D.A service account is authenticating with a password rather than a certificate
AnswerD

Service accounts should use strong, non-password authentication.

Why this answer

The correct answer is B. The most significant issue is that a service account used for backup is authenticating with a password instead of a certificate or key, which is a security weakness. Option A is true but less significant than the authentication method.

Option C is not indicated (no excessive privileges). Option D is about logging, which is present.

489
MCQeasy

Which of the following is the BEST indicator that a risk assessment's results are reliable?

A.It is based on a standard framework such as ISO 31000.
B.It uses the most recent threat intelligence.
C.It includes both quantitative and qualitative methods.
D.It is performed by an external consultant.
AnswerB

Current threat intelligence ensures relevance and accuracy.

Why this answer

B is correct because the reliability of a risk assessment hinges on the accuracy and timeliness of its inputs. Using the most recent threat intelligence ensures that the assessment reflects the current threat landscape, including newly discovered vulnerabilities, active exploit campaigns, and emerging attack vectors. Without current intelligence, even a perfectly structured assessment will produce outdated risk scores that fail to represent actual exposure.

Exam trap

The trap here is that candidates often confuse methodological rigor (framework, mixed methods, or external objectivity) with data reliability, failing to recognize that the freshness and relevance of threat intelligence is the single most critical factor for producing trustworthy risk assessment results.

How to eliminate wrong answers

Option A is wrong because using a standard framework like ISO 31000 provides a structured methodology but does not guarantee that the underlying data (e.g., threat likelihood, asset values) is accurate or current; a framework is a process, not a data quality control. Option C is wrong because combining quantitative and qualitative methods improves comprehensiveness but does not address the timeliness or accuracy of the input data; both methods can produce unreliable results if fed stale or incorrect information. Option D is wrong because an external consultant may bring independence and expertise, but their work is still dependent on the quality of the threat intelligence and data they use; an external consultant using outdated intelligence is no more reliable than an internal team doing the same.

490
MCQeasy

An external audit finds that a control is not operating as designed. The auditor recommends corrective action. What should the risk practitioner do FIRST?

A.Implement the auditor's recommendation immediately
B.Develop a remediation plan with the control owner
C.Update the risk register with the auditor's finding
D.Assess the impact of the control deficiency on residual risk
AnswerD

Understanding impact drives prioritization.

Why this answer

The correct answer is A. The risk practitioner should first assess the impact of the control deficiency on the risk level. Options B and C are actions that follow the assessment.

Option D is reactive and may be part of remediation but not first.

491
Multi-Selecthard

Which THREE factors should be considered when determining the inherent risk level of a new IT project prior to any controls?

Select 3 answers
A.Regulatory requirements governing the project's outcomes.
B.Past security incidents in similar projects.
C.Complexity of the project's technology stack.
D.Experience level of the project team.
E.Extent of external network connectivity.
AnswersA, C, E

Strict regulations increase the consequence of non-compliance, raising inherent risk.

Why this answer

Regulatory requirements (A) are a key factor in determining inherent risk because they impose mandatory compliance obligations that, if unmet, can result in legal penalties, fines, or operational shutdowns. For a new IT project, the inherent risk level is assessed based on the nature of the data processed and the applicable laws (e.g., GDPR, HIPAA, PCI DSS) before any controls are applied. This is a fundamental input to the risk assessment, as non-compliance risk exists independently of any security measures.

Exam trap

The trap here is that candidates often confuse inherent risk factors with control factors, mistakenly selecting team experience (D) or historical incidents (B) as inherent risk drivers, when in fact these are inputs for control effectiveness or residual risk assessment.

492
MCQmedium

You are a risk analyst for a financial institution that uses a legacy mainframe system for core banking transactions. The mainframe is critical for daily operations, but it is no longer supported by the vendor. The system has known vulnerabilities that cannot be patched due to compatibility issues. The institution has a risk appetite that is very low for any disruption to core banking services. Recently, there was a minor outage caused by a hardware failure, which was resolved quickly, but it highlighted the system's fragility. The IT director proposes to migrate to a modern system, but the migration will take 2 years and cost $5 million. The board is concerned about the cost and timeline. You need to recommend an immediate risk treatment to reduce the likelihood of a major outage while the migration is underway. Which of the following is the BEST course of action?

A.Accept the risk because the migration plan is in place.
B.Implement redundant hardware for critical components and conduct regular failover testing.
C.Negotiate with the vendor for extended support.
D.Purchase business interruption insurance to cover potential losses.
AnswerB

Redundancy reduces the likelihood of a single point of failure and testing ensures readiness.

Why this answer

Option B is correct because implementing redundant hardware for critical components and conducting regular failover testing directly reduces the likelihood of a major outage by addressing the single point of failure exposed by the recent hardware failure. This is an immediate risk treatment that does not depend on the 2-year migration timeline, and it aligns with the institution's very low risk appetite for core banking disruption.

Exam trap

The trap here is that candidates may choose option D (insurance) because it seems like a quick financial fix, but CRISC emphasizes that risk treatment must first address likelihood reduction before considering financial transfer, especially when the risk appetite is very low.

How to eliminate wrong answers

Option A is wrong because simply accepting the risk while the migration is underway ignores the immediate fragility highlighted by the recent outage and the known unpatched vulnerabilities; risk acceptance is not appropriate when the risk appetite is very low and a treatment is feasible. Option C is wrong because the system is no longer supported by the vendor, so negotiating for extended support is unlikely to succeed or may only provide limited, costly patches that do not address the hardware fragility; it also does not reduce the likelihood of a hardware-related outage. Option D is wrong because purchasing business interruption insurance only transfers the financial impact of a major outage, not the likelihood of it occurring; it does nothing to reduce the probability of a disruption, which is the primary concern given the very low risk appetite.

493
Multi-Selecthard

Which THREE of the following are essential components of a risk register that should be documented during risk identification? (Select exactly 3.)

Select 3 answers
A.Quantified monetary impact
B.Risk owner
C.Root cause
D.Mitigation plan
E.Risk description
AnswersB, C, E

Assigning an owner ensures accountability for managing the risk.

Why this answer

The risk register is a foundational artifact in IT risk management, and during the identification phase, its essential components are the risk description (to uniquely identify the risk), the risk owner (to assign accountability), and the root cause (to understand the underlying source). These three elements are documented before any quantitative analysis or mitigation planning occurs, as they form the basis for subsequent risk assessment and response.

Exam trap

The trap here is that candidates often confuse the risk identification phase with the risk assessment phase, selecting 'Quantified monetary impact' because they think it is needed upfront, when in fact it is only determined after the risk has been identified and analyzed.

494
MCQhard

After implementing multiple controls, the residual risk for a new product launch is still slightly above the risk appetite. The risk manager decides to proceed with the launch and monitor the risks regularly. This is:

A.Risk Transfer
B.Risk Avoidance
C.Risk Acceptance
D.Risk Mitigation
AnswerC

Acceptance is appropriate when residual risk is still above appetite but the decision is made to tolerate it.

Why this answer

Option A is correct because the risk is accepted formally as it is within an acceptable range after controls.

495
Multi-Selectmedium

Which THREE of the following are key components of an effective risk response plan?

Select 3 answers
A.Documented risk response strategy (e.g., avoid, mitigate, transfer, accept)
B.Detailed implementation timeline
C.Assigned ownership and accountability
D.Regulatory impact analysis
E.Resource allocation and budget
AnswersA, C, E

The chosen strategy is a fundamental part of the plan.

Why this answer

Risk response plans must include documented strategy, assigned ownership, and resource allocation. Implementation timeline (A) and regulatory impact (D) are supporting details, not core components. Option E (Risk owner) is a role, not a component of the plan itself.

496
MCQmedium

A hospital uses a patient portal that allows patients to access their medical records. The portal has experienced multiple brute-force login attempts. The risk manager wants to identify the most critical risk scenario. Which of the following should be prioritized?

A.Denial of service due to excessive login attempts.
B.Unauthorized access to patient medical records.
C.Insufficient encryption of data in transit.
D.Phishing attacks targeting portal users.
AnswerB

Breach of medical records can lead to legal penalties, identity theft, and harm to patients.

Why this answer

The most critical risk scenario from brute-force login attempts is unauthorized access to patient medical records, as this directly compromises patient privacy and violates HIPAA regulations. While denial of service is a concern, the primary impact of successful brute-force attacks is data breach, not service availability. The risk manager must prioritize the confidentiality of protected health information (PHI) over other operational risks.

Exam trap

The trap here is that candidates may focus on the immediate technical symptom (denial of service) rather than the primary business impact (unauthorized data access), which is the core of risk identification in CRISC.

How to eliminate wrong answers

Option A is wrong because denial of service from excessive login attempts is a temporary availability issue, not the most critical risk; brute-force attacks primarily aim to gain access, not to overwhelm the system, and rate limiting or account lockout policies can mitigate DoS. Option C is wrong because insufficient encryption of data in transit is a separate vulnerability related to data exposure during transmission (e.g., missing TLS), not directly caused by brute-force login attempts; the question focuses on the consequence of brute-force attacks, not encryption weaknesses. Option D is wrong because phishing attacks are a different attack vector involving social engineering to steal credentials, not a direct result of brute-force attempts; the scenario explicitly describes brute-force login attempts, not phishing.

497
MCQhard

A risk assessment identifies that a legacy system has a high risk of failure with no available vendor support. The organization decides to decommission the system and migrate to a modern platform. This is:

A.Risk Avoidance
B.Risk Transfer
C.Risk Mitigation
D.Risk Acceptance
AnswerA

Avoidance is the decision to stop the risky activity.

Why this answer

Option D is correct because decommissioning the system eliminates the risk entirely, which is avoidance.

498
MCQeasy

During a control monitoring review, it is discovered that a detective control has a high false positive rate. What is the MOST significant impact of this issue?

A.Loss of confidence in the control by management.
B.Increased risk of missing actual security incidents.
C.Reduced system performance due to alert processing.
D.Increased cost of investigating alerts.
AnswerB

Alert fatigue causes real incidents to be overlooked.

Why this answer

Option D is correct because high false positives can cause alert fatigue, leading to missed real incidents. Option A is a secondary effect. Option B is not directly caused by false positives.

Option C is a possible result but not the most significant.

499
MCQmedium

A control monitoring system generates an alert when transaction volumes exceed 10,000 per hour. Recently, the system has been generating false positives during peak business hours due to legitimate seasonal spikes. Which of the following is the BEST approach to reduce false positives while maintaining effective monitoring?

A.Disable the alerting during peak hours
B.Implement manual review of all alerts during peak hours
C.Apply dynamic thresholding that adjusts based on historical baseline
D.Increase the alert threshold to 15,000 transactions per hour
AnswerC

Dynamic thresholding adapts to regular patterns, reducing false positives.

Why this answer

Option B is correct because dynamic thresholding adjusts based on historical baseline, reducing false positives during predictable spikes. Option A is wrong because manual review is inefficient and does not address the root cause. Option C is wrong because increasing threshold may miss true anomalies during normal periods.

Option D is wrong because disabling alerts would eliminate monitoring entirely.

500
MCQhard

Refer to the exhibit. This JSON snippet defines a monitoring policy for S3 bucket access. Which of the following is a potential risk that might NOT be detected by this monitoring policy?

A.Unauthorized GET operations from within the trusted IP range.
B.Unauthorized PUT operations from within the trusted IP range.
C.Unauthorized DELETE operations from any IP.
D.Unauthorized PUT operations from outside the trusted IP range.
AnswerC

DELETE operations are not covered by the policy at all, so they would not be monitored.

Why this answer

Option C is correct. The policy only covers PutObject and GetObject actions. DeleteObject is not monitored, so unauthorized DELETE operations would go undetected.

Option A is not a risk because the policy denies PUT from the trusted IP range? Actually it denies PUT from trusted IP? Wait: the policy denies PutObject from the trusted IP range, but that might be intended. However, PUT from outside trusted range is not covered? The policy only has a rule for trusted IP; outside IPs are not addressed? But the question asks for potential risk not detected. Option C is clearest: DELETE operations are completely unmonitored.

Option B is not a risk because GET is allowed from trusted IP (may be intentional). Option D is not a risk because PUT from trusted IP is denied (if that matches intent). So C is correct.

Page 6

Page 7 of 7

All pages