Certified in Risk and Information Systems Control CRISC (CRISC) — Questions 601675

982 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
MCQmedium

A risk assessment identifies a vulnerability in a critical application. The threat actor is a script kiddie with low capability. Using the FAIR framework, which factor would most directly increase the Loss Event Frequency (LEF)?

A.Reducing the vulnerability severity
B.Decreasing the threat event frequency
C.Increasing the vulnerability severity
D.Increasing the threat actor's motivation
AnswerC

Correct. Higher vulnerability severity increases LEF.

Why this answer

Loss Event Frequency (LEF) in FAIR is directly influenced by the probability that a threat agent will act against a vulnerability. Increasing the vulnerability severity makes the application more susceptible to exploitation, thereby raising the likelihood of a loss event occurring, even if the threat actor has low capability.

Exam trap

The trap here is that candidates confuse 'threat actor motivation' with 'vulnerability severity' as the primary driver of LEF, but FAIR separates motivation into TEF, while vulnerability severity directly impacts the probability of a successful loss event.

How to eliminate wrong answers

Option A is wrong because reducing vulnerability severity would decrease the susceptibility of the application, which lowers LEF, not increases it. Option B is wrong because decreasing threat event frequency reduces the number of attack attempts, which directly lowers LEF, contrary to the goal of increasing it. Option D is wrong because increasing the threat actor's motivation does not directly affect LEF; motivation influences Threat Event Frequency (TEF) and the probability of action, but LEF is more directly tied to vulnerability severity and the ability to exploit it.

602
MCQhard

An organization wants to promote a risk-aware culture. Which initiative is most effective in encouraging employees to report security incidents without fear?

A.Conducting annual security awareness training
B.Implementing a no-blame incident reporting policy
C.Increasing penalties for policy violations
D.Publishing names of employees who caused incidents
AnswerB

This fosters an environment where employees feel safe to report issues.

Why this answer

A 'no-blame' culture encourages reporting by removing fear of punishment for unintentional errors, leading to better risk identification and learning.

603
MCQhard

A risk practitioner is connecting a risk scenario to business impact. The scenario involves a ransomware attack that encrypts critical financial systems, resulting in a two-week outage. Which of the following is the MOST appropriate business impact category?

A.Regulatory penalty
B.Reputational damage
C.Operational disruption
D.Financial loss
AnswerC

System outage directly disrupts operations.

Why this answer

Operational disruption directly affects the organization's ability to conduct business operations, such as system outages. While financial loss may result, the primary impact is operational disruption.

604
Multi-Selectmedium

An organization is planning to adopt post-quantum cryptography. Which TWO considerations are MOST important for migration planning?

Select 2 answers
A.Evaluate the cost of quantum computers
B.Assess the cryptographic agility of current systems
C.Identify systems that need long-term confidentiality (e.g., classified data)
D.Train employees on quantum physics
E.Purchase quantum-resistant hardware immediately
AnswersB, C

Systems must be able to support new algorithms.

Why this answer

Migration must prioritize systems with long-term data sensitivity and assess cryptographic agility to adapt to new standards.

605
MCQhard

A risk practitioner is conducting a threat modeling exercise for a new cloud-based application using the STRIDE methodology. Which of the following is the PRIMARY benefit of using STRIDE over a simple checklist?

A.It requires less expertise to perform
B.It automatically quantifies risk levels
C.It ensures consistent application of controls
D.It identifies threats by category, reducing the chance of missing key threat types
AnswerD

STRIDE's categories (Spoofing, Tampering, etc.) help ensure comprehensive threat identification.

Why this answer

The STRIDE methodology categorizes threats into six specific types (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). This structured approach ensures that the threat modeling exercise systematically covers each category, reducing the likelihood of overlooking entire classes of threats that a simple checklist might miss. For a cloud-based application, this is critical because threats like elevation of privilege or information disclosure can manifest in unique ways across shared infrastructure, and STRIDE forces the practitioner to consider each category explicitly.

Exam trap

The trap here is that candidates often confuse a structured methodology like STRIDE with a simple checklist, assuming any structured approach automatically ensures control consistency or risk quantification, when in fact STRIDE's primary benefit is its categorical coverage that reduces blind spots.

How to eliminate wrong answers

Option A is wrong because STRIDE requires a solid understanding of each threat category and how to map them to system components, often demanding more expertise than a simple checklist. Option B is wrong because STRIDE is a qualitative categorization framework and does not automatically quantify risk levels; risk quantification requires separate analysis (e.g., using CVSS scores or likelihood/impact ratings). Option C is wrong because while STRIDE can promote consistency in identifying threat types, it does not ensure consistent application of controls; controls are designed and implemented independently based on the identified threats.

606
MCQhard

A company faces a risk of data loss due to untrained staff. They implement mandatory training and quarterly phishing simulations. This is:

A.Risk Avoidance
B.Risk Acceptance
C.Risk Mitigation
D.Risk Transfer
AnswerC

Training reduces the probability of incidents, thus mitigating risk.

Why this answer

Mandatory training and quarterly phishing simulations are proactive controls that reduce the likelihood and impact of data loss from human error. This directly aligns with risk mitigation, which seeks to lower residual risk to an acceptable level without eliminating the activity or transferring the financial burden. The controls target the root cause (untrained staff) by improving security awareness and testing behavioral response.

Exam trap

The trap here is that candidates confuse 'risk mitigation' with 'risk avoidance' because they think training eliminates the risk entirely, but mitigation only reduces it, while avoidance would require stopping the use of email or data processing altogether.

How to eliminate wrong answers

Option A is wrong because risk avoidance would mean ceasing the activity that introduces the risk (e.g., not using email or not storing sensitive data), not training staff. Option B is wrong because risk acceptance involves acknowledging the risk and taking no action to reduce it, whereas the company is actively implementing controls. Option D is wrong because risk transfer shifts the financial impact to a third party (e.g., cyber insurance or outsourcing), not internal training and simulations.

607
MCQhard

A risk manager is calculating the probable financial impact of a ransomware attack using the FAIR model. Which factor is MOST critical to estimate the annual loss exposure?

A.Recovery time objective (RTO)
B.Threat event frequency
C.Cost of cyber insurance premium
D.Number of affected systems
AnswerB

Threat event frequency is a key component in FAIR for calculating annual loss exposure.

Why this answer

In the FAIR model, annual loss exposure (ALE) is calculated as threat event frequency multiplied by probable loss magnitude. Threat event frequency is the most critical factor because it directly drives how often losses occur, and without an accurate estimate of how frequently ransomware attacks are expected, any loss magnitude estimate becomes meaningless for annualizing exposure.

Exam trap

The trap here is that candidates often confuse loss magnitude factors (like number of affected systems or RTO) with the frequency component, mistakenly thinking that the size of a single incident is more important than how often incidents occur, when in fact both are needed but frequency is the most critical for annualizing exposure.

How to eliminate wrong answers

Option A is wrong because recovery time objective (RTO) is a metric for business continuity planning, not a direct input to the FAIR model's annual loss exposure calculation; it influences loss magnitude but is not the most critical factor. Option C is wrong because the cost of a cyber insurance premium is a financial transfer mechanism, not a risk quantification input; it reflects the insurer's assessment of risk, not the raw threat event frequency needed for FAIR. Option D is wrong because the number of affected systems is a component of loss magnitude (e.g., asset value at risk), but without knowing how often attacks occur (threat event frequency), you cannot compute annual loss exposure.

608
MCQmedium

An organization is connecting its industrial control systems (ICS) to the corporate network for real-time data analytics. Which of the following is the PRIMARY risk introduced by this IT/OT convergence?

A.Reduced availability of OT systems
B.Higher cost of network equipment
C.Expansion of the attack surface to OT systems
D.Increased complexity of data analytics
AnswerC

Correct. The attack surface expands, exposing OT to network-based threats.

Why this answer

The primary risk is the expansion of the attack surface, as previously isolated OT systems become accessible from the corporate network, increasing the likelihood of cyber attacks propagating to critical industrial systems.

609
MCQmedium

In a quantitative risk analysis using FAIR, which of the following best represents Loss Magnitude (LM)?

A.Primary Loss + Secondary Loss
B.Single Loss Expectancy (SLE)
C.Threat Event Frequency × Vulnerability
D.Annualized Loss Expectancy (ALE)
AnswerA

Correct. LM = Primary Loss + Secondary Loss in FAIR.

Why this answer

In FAIR, Loss Magnitude (LM) is the sum of Primary Loss (direct costs) and Secondary Loss (indirect costs) resulting from a loss event.

610
MCQeasy

Which of the following is the primary purpose of a risk and control monitoring program?

A.To identify new risks as they emerge.
B.To provide ongoing assurance that controls are operating effectively.
C.To reduce the frequency of internal audits.
D.To calculate key risk indicators.
AnswerB

Core objective of monitoring.

Why this answer

The primary purpose of a risk and control monitoring program is to provide ongoing assurance that controls are operating effectively. This is achieved through continuous or periodic testing, observation, and analysis of control activities to confirm they are designed correctly and functioning as intended to mitigate risks. Without this ongoing assurance, an organization cannot reliably know whether its risk responses remain effective over time.

Exam trap

The trap here is that candidates often confuse the primary purpose of a monitoring program (ongoing assurance) with its components or secondary benefits, such as identifying new risks (A) or calculating KRIs (D), leading them to select a narrower or derivative function instead of the core objective.

How to eliminate wrong answers

Option A is wrong because identifying new risks as they emerge is the purpose of a risk identification process or a risk assessment, not the primary goal of a control monitoring program; monitoring focuses on existing controls, not discovering new risks. Option C is wrong because reducing the frequency of internal audits is a potential secondary benefit of a strong monitoring program, but it is not the primary purpose; the core objective is assurance on control effectiveness, not audit reduction. Option D is wrong because calculating key risk indicators (KRIs) is a specific monitoring technique that may be used within a monitoring program, but it is not the primary purpose; the program's goal is broader assurance, not just the calculation of metrics.

611
MCQmedium

An Architecture Review Board (ARB) is evaluating a new solution architecture for a customer-facing web application. Which of the following is the PRIMARY risk the ARB should consider?

A.The application does not support mobile devices
B.The application development timeline is aggressive
C.The application uses the latest JavaScript framework
D.The application exposes sensitive customer data through APIs without proper authentication
AnswerD

This is a significant security risk that could lead to data breach.

Why this answer

The ARB's role includes ensuring security risks are identified before implementation. Among the options, exposure of sensitive customer data is the most critical security risk that could impact the organization's reputation and compliance.

612
MCQeasy

For a risk with very low likelihood and low impact, what is the typical risk response?

A.Mitigate
B.Transfer
C.Avoid
D.Accept
AnswerD

Acceptance is the default for low risks.

Why this answer

When a risk has very low likelihood and low impact, the cost of implementing controls (mitigation, transfer, or avoidance) typically exceeds the potential loss. Accepting the risk is the most cost-effective response, as it acknowledges the residual risk without active treatment. This aligns with the principle that risk acceptance is appropriate for risks below the organization's risk appetite threshold.

Exam trap

The trap here is that candidates mistakenly apply mitigation or transfer to all risks, failing to recognize that acceptance is the default response for low-likelihood, low-impact risks where the cost of treatment exceeds the potential loss.

How to eliminate wrong answers

Option A is wrong because mitigation involves reducing likelihood or impact through controls, which is unnecessary and wasteful for a risk with negligible potential loss. Option B is wrong because transfer (e.g., insurance or outsourcing) incurs premium costs or contractual overhead that outweighs the trivial exposure. Option C is wrong because avoidance (e.g., discontinuing the activity) would eliminate a low-value risk at the cost of losing business functionality or opportunity, which is disproportionate.

613
MCQmedium

An organization is considering cyber insurance to transfer residual risk. Which factor would MOST significantly influence the premium?

A.Industry sector
B.Company revenue
C.Security controls and incident history
D.Number of employees
AnswerC

Insurers heavily weigh security maturity and past claims.

Why this answer

Insurers assess the organization's security controls and past incidents to determine risk level, which directly affects premium.

614
MCQmedium

A company is considering outsourcing its data center operations to a cloud provider. Which risk treatment option is the company primarily exercising?

A.Risk avoidance
B.Risk mitigation
C.Risk transfer
D.Risk acceptance
AnswerC

Correct. Outsourcing transfers risk to the cloud provider.

Why this answer

Outsourcing shifts the risk of managing the data center to a third party, which is risk transfer. Contractual liability may also be transferred.

615
MCQhard

Refer to the exhibit. Based on the exhibit, what is the most appropriate action regarding the control OWF?

A.The control is effective because the traffic was blocked.
B.The control is ineffective because alerts indicate potential malware.
C.The control should be reviewed because the alert frequency is approaching the threshold.
D.No action is needed because the threshold has not been reached.
AnswerC

Proactive review can prevent reaching the threshold and identify root causes.

Why this answer

The exhibit shows that the OWF (Outbound Web Filtering) control has logged 95 alerts against a threshold of 100. Since the alert frequency is approaching but has not yet reached the threshold, the most appropriate action is to review the control to determine if the threshold is still appropriate or if the control needs tuning. Option C correctly identifies this proactive monitoring step, which aligns with the CRISC domain of Risk and Control Monitoring and Reporting.

Exam trap

The trap here is that candidates assume no action is needed until the threshold is reached, but CRISC emphasizes proactive review when metrics approach thresholds to prevent control failures or misconfigurations.

How to eliminate wrong answers

Option A is wrong because the control being effective is not determined solely by traffic being blocked; the high alert frequency indicates a potential issue that requires review, not a confirmation of effectiveness. Option B is wrong because while alerts may indicate potential malware, the question does not provide evidence that the alerts are false positives or actual malware; the key issue is the frequency approaching the threshold, not the nature of the alerts. Option D is wrong because even though the threshold has not been reached, the proximity to the threshold (95 out of 100) warrants a review to prevent exceeding the threshold and to ensure the control is properly configured.

616
MCQeasy

An organization decides to discontinue a high-risk business process that cannot be effectively mitigated. This is an example of which risk treatment option?

A.Risk acceptance
B.Risk transfer
C.Risk mitigation
D.Risk avoidance
AnswerD

Correct. Discontinuing the process avoids the risk.

Why this answer

Avoidance involves eliminating the activity that creates the risk, thus removing the risk entirely.

617
MCQhard

In the context of threat modeling for a web application, which technique is specifically designed to be integrated into Agile and DevSecOps processes, emphasizing collaboration and visualization?

A.VAST
B.STRIDE
C.TRIKE
D.PASTA
AnswerA

VAST is built for Agile and DevSecOps with visual collaboration.

Why this answer

VAST (Visual, Agile, and Simple Threat modeling) is tailored for Agile and DevSecOps environments.

618
MCQhard

A risk manager is evaluating the effectiveness of a control that requires dual authorization for high-value transactions. The Key Control Indicator (KCI) for this control is the rate of transactions processed without dual authorization (i.e., exception rate). If the acceptable exception rate is less than 1% and the observed rate is 2.5%, what is the most appropriate immediate action?

A.Investigate the root cause of the exceptions
B.Redesign the control immediately
C.Accept the risk since the rate is still low
D.Increase the acceptable exception rate to 2.5%
AnswerA

Root cause analysis is needed to determine why the control is failing.

Why this answer

The observed exception rate of 2.5% exceeds the acceptable threshold of 1%, indicating a control deficiency. The most appropriate immediate action is to investigate the root cause of the exceptions to determine whether the control is failing due to process gaps, user behavior, or system issues. Root cause analysis (RCA) is a foundational step before any remediation, as it prevents premature redesign or unjustified risk acceptance.

Exam trap

The trap here is that candidates may assume a 2.5% exception rate is still 'low' and choose to accept the risk (Option C), but CRISC emphasizes that any deviation from the acceptable threshold requires investigation and remediation, not automatic acceptance.

How to eliminate wrong answers

Option B is wrong because redesigning the control immediately without understanding why the exceptions occur could introduce new risks or waste resources on an ineffective solution; the control may only need tuning or enforcement. Option C is wrong because accepting a risk that exceeds the defined acceptable exception rate violates the risk appetite and policy, and 2.5% is not 'low' when the threshold is 1%. Option D is wrong because increasing the acceptable exception rate to match the observed rate eliminates the control's effectiveness and undermines the purpose of the KCI, which is to detect and reduce unauthorized transactions.

619
MCQhard

During a risk assessment, the risk practitioner develops a scenario involving a disgruntled employee exfiltrating sensitive customer data through a USB drive. The organization has a strict policy against removable media but lacks technical controls to prevent USB usage. Which element of the risk scenario is the vulnerability?

A.Data exfiltration
B.Lack of technical controls to prevent USB usage
C.Disgruntled employee
D.Sensitive customer data
AnswerB

This is the weakness that can be exploited.

Why this answer

The vulnerability is the lack of technical controls to prevent USB usage, which is a weakness that can be exploited by the threat actor (disgruntled employee) to cause the threat event (data exfiltration).

620
MCQeasy

Which of the following best describes risk capacity?

A.The acceptable risk level for each risk category
B.The total risk identified in the risk universe
C.The amount of risk the organization is willing to accept
D.The maximum risk the organization can absorb before threatening viability
AnswerD

Correct definition of risk capacity.

Why this answer

Risk capacity is the maximum level of risk an organization can absorb before its viability is threatened.

621
MCQeasy

What is the primary purpose of a control self-assessment (CSA)?

A.To involve process owners in evaluating control effectiveness.
B.To replace external audits.
C.To automate monitoring.
D.To generate compliance reports.
AnswerA

CSA empowers process owners to assess and improve controls.

Why this answer

The primary purpose of a control self-assessment (CSA) is to involve process owners in evaluating the effectiveness of controls within their own areas of responsibility. This approach leverages the deep operational knowledge of those who design and execute processes daily, enabling them to identify control gaps and improvement opportunities that external auditors might miss. By fostering ownership and accountability, CSA enhances the control environment without replacing independent assurance functions.

Exam trap

The trap here is that candidates confuse the purpose of CSA with its potential outputs, such as compliance reports or automation, rather than recognizing its core intent to empower process owners in self-evaluation and continuous improvement.

How to eliminate wrong answers

Option B is wrong because CSA is not designed to replace external audits; external audits provide independent, objective assurance that CSA cannot offer due to inherent self-assessment bias. Option C is wrong because CSA is a manual, participatory evaluation process, not an automated monitoring tool; automation may support data collection but is not the core purpose. Option D is wrong because while CSA results can inform compliance reports, generating compliance reports is a secondary output, not the primary purpose; the main goal is to engage process owners in control evaluation.

622
MCQeasy

Which of the following is a key characteristic of a well-maintained risk register?

A.It is maintained solely by the IT department
B.It is static and reviewed annually
C.It is updated regularly to reflect changes
D.It includes only high-impact risks
AnswerC

Regular updates ensure the register remains relevant.

Why this answer

A risk register must be dynamic and updated as new risks emerge or existing risks change. Regular review and updates are essential for its effectiveness.

623
Multi-Selectmedium

A security awareness program is being designed to promote a risk-aware culture. Which TWO elements are most critical for the program's success?

Select 2 answers
A.Establishing a risk committee
B.Mandatory annual testing with pass/fail
C.Detailed technical training for all staff
D.Tone from the top
E.Communicating risk in business terms
AnswersD, E

Leadership sets the example and emphasizes importance.

Why this answer

Tone from the top demonstrates management commitment, and communicating risk in business terms ensures that employees understand the relevance to their roles. These are key to fostering a risk-aware culture.

624
MCQeasy

Which of the following is a key component of the NIST Cybersecurity Framework's Identify function?

A.Response planning
B.Recovery plan implementation
C.Risk assessment
D.Anomalies and events detection
AnswerC

Risk assessment is part of the Identify function.

Why this answer

The Identify function includes asset management, business environment, governance, risk assessment, and risk management strategy. Risk assessment is a key component.

625
MCQmedium

A risk analyst uses a 5x5 heat map to evaluate a set of IT risks. For a particular risk, the likelihood is rated as 4 (likely) and impact as 5 (very high). What is the resulting risk rating?

A.Low
B.Medium
C.Critical
D.High
AnswerC

Critical is the highest category, typically scores 16-25.

Why this answer

In a 5x5 heat map, risk rating is typically the product or sum of likelihood and impact. With likelihood 4 and impact 5, the product is 20, which falls in the critical category.

626
MCQmedium

In the context of ERM integration, IT risk is typically considered a subset of which broader risk category?

A.Strategic risk
B.Financial risk
C.Compliance risk
D.Operational risk
AnswerD

Correct. IT risk is part of operational risk.

Why this answer

In Enterprise Risk Management (ERM) integration, IT risk is typically categorized as a subset of operational risk because it directly impacts the availability, integrity, and confidentiality of information systems and data, which are core operational assets. Operational risk encompasses failures in internal processes, people, and systems, and IT risk—such as system outages, data breaches, or software defects—falls squarely within this domain. This alignment is reinforced by frameworks like COSO and ISO 31000, which treat technology-related failures as operational risk events.

Exam trap

The trap here is that candidates confuse IT risk with compliance risk (Option C) because many IT failures have regulatory implications (e.g., GDPR breaches), but IT risk is fundamentally about operational continuity, not just legal adherence.

How to eliminate wrong answers

Option A is wrong because strategic risk involves high-level decisions that affect long-term business goals (e.g., market entry or M&A), not the day-to-day technology failures that IT risk addresses. Option B is wrong because financial risk focuses on market fluctuations, credit, and liquidity, whereas IT risk is about system reliability and security, not monetary instruments. Option C is wrong because compliance risk is a subset of operational risk that deals with legal and regulatory adherence, but IT risk is broader, covering non-compliance issues like system performance and availability.

627
MCQmedium

During a risk assessment, a risk practitioner identifies that a legacy application uses a deprecated encryption protocol. The application is critical for business operations and cannot be patched. Which of the following is the BEST approach to assess the risk?

A.Replace the application with a modern alternative
B.Analyze the threat landscape and existing compensating controls to determine residual risk
C.Assign a high inherent risk score without further analysis
D.Immediately escalate to senior management for an exception
AnswerB

Proper assessment involves analyzing threats and compensating controls to estimate residual risk.

Why this answer

Option B is correct because the best approach to assess risk for a legacy application using a deprecated encryption protocol (e.g., SSL 3.0 or TLS 1.0) is to analyze the threat landscape and existing compensating controls. This allows the risk practitioner to determine the residual risk by considering factors such as whether the application is only accessible on an isolated network segment, whether network-level encryption (e.g., IPsec or a VPN tunnel) is in place, and whether the protocol is vulnerable to specific attacks like POODLE or BEAST. Simply assigning a high inherent risk score without further analysis (Option C) ignores compensating controls, while immediate escalation (Option D) or replacement (Option A) are risk treatment decisions, not risk assessment activities.

Exam trap

The trap here is that candidates confuse risk assessment with risk treatment, mistakenly selecting Option A (replacement) or Option D (escalation) as the 'best approach' when the question specifically asks for the assessment step, not the remediation step.

How to eliminate wrong answers

Option A is wrong because replacing the application is a risk treatment (mitigation) decision, not a risk assessment activity; the question asks for the best approach to assess the risk, not to resolve it. Option C is wrong because assigning a high inherent risk score without further analysis fails to consider compensating controls (e.g., network segmentation, VPN tunneling, or application-layer proxies) that could reduce the likelihood or impact, leading to an inaccurate risk assessment. Option D is wrong because immediately escalating to senior management for an exception is a governance action that should occur after the risk has been properly assessed, not as the assessment itself; it bypasses the necessary analysis of threats and controls.

628
MCQmedium

A retail company monitors its key risk indicator (KRI) for credit card transaction fraud. The KRI has exceeded the established threshold for three consecutive days, but the weekly control performance report shows all fraud detection controls operating effectively. What should the risk practitioner do FIRST?

A.Immediately enhance the fraud detection controls.
B.Report the KRI breach to the board and recommend risk acceptance.
C.Adjust the KRI threshold to align with current control performance.
D.Investigate the data source of the KRI to ensure accuracy and timeliness.
AnswerD

Verifying data integrity is the logical first step before any other action.

Why this answer

The KRI breach may be caused by data inaccuracies or delays in the data feed, not by an actual increase in fraud. Investigating the data source ensures the KRI is reliable before taking any further action, aligning with the principle of validating monitoring data before making control decisions.

Exam trap

The trap here is that candidates assume a KRI breach always indicates a control failure, leading them to immediately enhance controls or adjust thresholds, rather than first verifying the data integrity of the KRI itself.

How to eliminate wrong answers

Option A is wrong because enhancing controls without verifying the KRI data could waste resources on a non-existent problem. Option B is wrong because reporting to the board and recommending risk acceptance is premature without confirming the KRI's accuracy and timeliness. Option C is wrong because adjusting the threshold to match control performance would mask a potential data quality issue and violate the integrity of the KRI as an early warning indicator.

629
Multi-Selecthard

A risk practitioner is using the TRIKE threat modeling methodology. Which TWO of the following are characteristics of TRIKE?

Select 2 answers
A.It is a requirements-based model
B.It is designed for analyzing denial-of-service threats
C.It is a visual, agile methodology for DevSecOps
D.It uses actor and asset views
E.It focuses on attack trees and threat libraries
AnswersA, D

TRIKE starts from requirements.

Why this answer

TRIKE is requirements-based and uses actor- and asset-centric views.

630
MCQmedium

You are the IT risk manager at a multinational corporation that recently migrated its customer database to a cloud-based platform. The database contains personally identifiable information (PII) subject to GDPR. During a routine vulnerability scan, you discover that the database is accessible from the internet without encryption (port 1433 open). The cloud provider's shared responsibility model indicates that securing the database configuration is the customer's responsibility. You have identified the risk as high likelihood and high impact. The business owner argues that the database is only accessible to a limited IP range and that encryption would degrade performance. Which course of action should you recommend to treat the risk?

A.Transfer the risk by purchasing cyber insurance
B.Close the port or implement a VPN, and enforce encryption
C.Accept the risk because the IP restriction reduces likelihood
D.Implement a web application firewall (WAF) to monitor traffic
AnswerB

This directly mitigates the vulnerability and ensures compliance.

Why this answer

Option D is correct because closing the port or implementing a VPN is the most effective way to eliminate the direct exposure, and encryption should be applied to protect data in transit. Option A is wrong because accepting risk without compensating controls violates GDPR requirements. Option B is wrong because a compensating control (WAF) does not address the lack of encryption.

Option C is wrong because transferring risk via cyber insurance does not reduce the actual exposure.

631
MCQmedium

A vendor risk manager is tiering vendors based on the criticality of services and data access. A vendor that processes sensitive customer data for a core business application should be classified as which tier?

A.Critical
B.Low
C.Medium
D.High
AnswerA

Critical tier is for vendors with sensitive data and core services.

Why this answer

A vendor processing sensitive customer data for a core business application poses the highest potential impact on confidentiality, integrity, and availability. This aligns with the definition of a Critical tier, where failure or breach would cause severe business disruption, regulatory penalties, and reputational damage. The classification is driven by the combination of sensitive data access and the application's essential role in business operations.

Exam trap

The trap here is that candidates may confuse 'High' with 'Critical' because both imply significant risk, but CRISC defines Critical as the highest tier reserved for vendors whose failure would cause catastrophic business impact, often involving sensitive data and core processes simultaneously.

How to eliminate wrong answers

Option B is wrong because a Low tier is reserved for vendors with no access to sensitive data and minimal impact on business operations, which does not apply here. Option C is wrong because a Medium tier typically involves vendors with some data access but not to sensitive customer data, and their services are not core to business continuity. Option D is wrong because a High tier, while indicating significant risk, is often used for vendors with critical services but limited sensitive data access; the presence of both sensitive customer data and a core business application elevates the risk to Critical.

632
MCQmedium

A risk practitioner is creating a risk scenario for a ransomware attack. Which of the following is the BEST sequence to describe the scenario using the ISACA risk scenarios template?

A.Asset/resource, event, threat actor, timing, detection, response, threat type
B.Threat type, event, asset/resource, threat actor, timing, detection, response
C.Threat actor, threat type, event, asset/resource, timing, detection, response
D.Event, threat actor, asset/resource, timing, detection, response, threat type
AnswerC

Why this answer

The correct sequence in a risk scenario is: threat actor -> threat type -> event -> asset/resource -> timing -> detection -> response. This structure helps in understanding the complete chain of events leading to impact.

633
MCQhard

A financial institution is evaluating the risk of a new mobile payment application. The risk team calculates the Annual Loss Expectancy (ALE) as $500,000 based on a single loss expectancy (SLE) of $100,000 and an annual rate of occurrence (ARO) of 5. After implementing a new encryption control at a cost of $150,000 per year, the ALE is reduced to $200,000. What is the residual risk in terms of ALE after one year of control operation?

A.$200,000
B.$500,000
C.$350,000
D.$300,000
AnswerA

This is the post-control ALE, representing residual risk.

Why this answer

The residual risk is the remaining Annual Loss Expectancy (ALE) after controls are applied. Since the ALE after implementing the encryption control is explicitly stated as $200,000, that is the residual risk after one year of control operation. The control cost of $150,000 is a separate cost-of-control figure and does not reduce the ALE further; it is used for cost-benefit analysis, not for calculating residual risk.

Exam trap

The trap here is that candidates mistakenly subtract the control cost from the original or reduced ALE, thinking residual risk equals ALE minus control expenditure, when in fact residual risk is simply the post-control ALE as stated.

How to eliminate wrong answers

Option B ($500,000) is wrong because it represents the original ALE before any controls were implemented, ignoring the risk reduction from the encryption control. Option C ($350,000) is wrong because it incorrectly subtracts the control cost ($150,000) from the original ALE ($500,000), confusing cost of control with risk reduction. Option D ($300,000) is wrong because it incorrectly subtracts the control cost from the reduced ALE ($200,000), which is not how residual risk is calculated; residual risk is the remaining ALE after controls, not net of control costs.

634
MCQhard

During a quarterly risk review, the CISO notes that the number of failed authentication attempts has increased by 300% over the last month. The IT team confirms no changes to authentication systems. This metric is BEST categorized as which of the following?

A.Key Performance Indicator (KPI)
B.Service Level Agreement (SLA) metric
C.Key Risk Indicator (KRI)
D.Key Control Indicator (KCI)
AnswerC

KRIs are leading indicators that indicate potential changes in risk exposure.

Why this answer

A Key Risk Indicator (KRI) is a metric used to signal a change in risk exposure. A 300% increase in failed authentication attempts, with no changes to the authentication system, strongly indicates a potential ongoing brute-force attack or credential stuffing campaign, directly elevating the risk of unauthorized access. This metric is not measuring performance (KPI), contractual service levels (SLA), or the effectiveness of a specific control (KCI), but rather a change in the risk landscape.

Exam trap

The trap here is confusing a KRI with a KPI or KCI because all three are metrics, but a KRI specifically measures changes in risk exposure (like a sudden spike in failed logins), not operational performance or control effectiveness.

How to eliminate wrong answers

Option A is wrong because a Key Performance Indicator (KPI) measures the efficiency or effectiveness of a process or system (e.g., average authentication response time), not a change in risk exposure. Option B is wrong because a Service Level Agreement (SLA) metric is a contractual target for service availability or performance (e.g., 99.9% uptime), not a leading indicator of security risk. Option D is wrong because a Key Control Indicator (KCI) measures the operational health or performance of a specific control (e.g., percentage of accounts with MFA enabled), whereas a spike in failed logins is a direct risk signal, not a control performance metric.

635
MCQeasy

Which of the following is an example of a corrective control?

A.Incident response plan
B.Access control list
C.Security awareness training
D.Log monitoring
AnswerA

Correct; incident response corrects after an incident.

Why this answer

Corrective controls respond to and recover from risk events. Incident response procedures are corrective because they address incidents after they occur.

636
MCQeasy

Which of the following is a detective control?

A.Backup and recovery plan
B.Intrusion detection system (IDS)
C.Firewall
D.Data encryption
AnswerB

IDS detects and alerts on potential intrusions.

Why this answer

Intrusion detection systems (IDS) monitor network traffic and alert on suspicious activity after it occurs.

637
MCQeasy

Which of the following is a key component of an IT risk management programme that documents identified risks, their likelihood, and impact?

A.Risk management policy
B.Risk register
C.Business continuity plan
D.Incident response plan
AnswerB

The risk register is the correct document for recording risks.

Why this answer

The risk register is the central repository within an IT risk management programme that formally documents identified risks, their assessed likelihood, and potential impact. It serves as the authoritative record for tracking risk ownership, mitigation status, and residual risk levels, enabling ongoing monitoring and reporting. Without a risk register, an organization cannot systematically manage or communicate its risk posture.

Exam trap

The trap here is that candidates confuse the risk register with the risk management policy, mistakenly thinking the policy document contains the detailed risk inventory, when in fact the policy only sets the governance framework while the register holds the operational risk data.

How to eliminate wrong answers

Option A is wrong because a risk management policy defines the high-level principles, objectives, and responsibilities for risk management, but it does not contain the specific inventory of identified risks, their likelihood, or impact. Option C is wrong because a business continuity plan (BCP) focuses on maintaining or restoring operations after a disruption, not on documenting the full spectrum of identified IT risks and their attributes. Option D is wrong because an incident response plan (IRP) outlines procedures for detecting, responding to, and recovering from security incidents, but it does not serve as the ongoing record of all identified risks, their likelihood, and impact.

638
MCQmedium

An organization is implementing a new access control system. Which of the following is the MOST important consideration during the implementation phase?

A.Control ownership assignment
B.User training
C.Change management
D.Documentation update
AnswerC

Change management ensures controlled implementation, reducing the risk of unintended consequences.

Why this answer

During the implementation phase of a new access control system, change management is the most critical consideration because it ensures that all changes to the authentication and authorization infrastructure are controlled, tested, and approved before deployment. Without a formal change management process, misconfigurations in protocols like LDAP, RADIUS, or SAML can lead to security gaps or service outages, making it the foundational control for a successful rollout.

Exam trap

The trap here is that candidates often confuse 'most important during implementation' with 'most important overall,' leading them to select user training or documentation, but CRISC emphasizes that uncontrolled changes introduce the highest risk of failure and security incidents during the deployment phase.

How to eliminate wrong answers

Option A is wrong because control ownership assignment is a governance activity that occurs during the design or planning phase, not during implementation; it defines who is accountable for the control after deployment, but does not address the immediate risks of introducing new technology. Option B is wrong because user training, while important for adoption, is a post-implementation or operational activity that does not mitigate the technical risks of misconfiguration or integration failure during the actual deployment of the access control system. Option D is wrong because documentation update is a supporting activity that should occur throughout the lifecycle, but it is not the most critical consideration during implementation; failing to update documentation does not directly cause security incidents or system downtime like a poorly managed change can.

639
MCQeasy

A company has implemented a new control to detect unauthorized access attempts. What is the PRIMARY purpose of monitoring this control?

A.To provide evidence for regulatory audits.
B.To reduce the number of unauthorized access attempts.
C.To confirm the control is working effectively.
D.To calculate the residual risk level.
AnswerC

Ensures the control functions as designed.

Why this answer

The primary purpose of monitoring a detective control, such as one that detects unauthorized access attempts, is to confirm that the control is operating effectively as designed. Monitoring provides ongoing assurance that the control is correctly identifying and logging unauthorized access events, which is essential for maintaining the security posture and for timely incident response.

Exam trap

The trap here is confusing the purpose of monitoring a control (verifying its effectiveness) with the purpose of the control itself (detecting or preventing incidents), leading candidates to choose a benefit like audit evidence or risk calculation instead.

How to eliminate wrong answers

Option A is wrong because while monitoring logs can provide evidence for audits, that is a secondary benefit, not the primary purpose of monitoring a detective control. Option B is wrong because a detective control does not reduce the number of unauthorized access attempts; it only detects them after they occur. Option D is wrong because calculating residual risk is a risk assessment activity that uses control effectiveness data, but the immediate purpose of monitoring is to verify control operation, not to compute risk levels.

640
MCQeasy

A database error log shows repeated login failures followed by a successful authentication. Which control failure is MOST likely?

A.Account lockout policy is not enforced
B.No multi-factor authentication
C.Insufficient failed login monitoring
D.Weak password policy
AnswerA

Account should have been locked after a few failures.

Why this answer

The repeated login failures followed by a successful authentication indicate that the account lockout policy was not enforced. Without a lockout threshold, an attacker can perform unlimited password attempts until they guess the correct credential. This is a direct failure of the account lockout control, which is designed to prevent brute-force attacks by disabling the account after a defined number of failed attempts (e.g., 5 failures within 15 minutes per NIST SP 800-63B).

Exam trap

The trap here is that candidates confuse a detective control (monitoring) with a preventive control (lockout), or assume that MFA would have prevented the successful login, when in fact the question focuses on the repeated failures preceding success, which is the hallmark of a missing lockout policy.

How to eliminate wrong answers

Option B is wrong because multi-factor authentication (MFA) mitigates credential theft after password compromise, but it does not prevent the brute-force attack itself; the question focuses on the repeated failures leading to success, which is a lockout failure. Option C is wrong because insufficient failed login monitoring is a detective control failure, not a preventive one; the log shows the failures were recorded, so monitoring exists, but the attack succeeded due to a missing preventive control. Option D is wrong because a weak password policy (e.g., short or common passwords) makes guessing easier, but the core issue is that unlimited attempts were allowed; even a strong password can be brute-forced if no lockout is enforced.

641
MCQmedium

Refer to the exhibit. During a risk identification exercise for the internal network, the risk manager reviews this firewall log entry. Which of the following risks is MOST directly suggested by this log entry?

A.Sensitive data is being exfiltrated via SMB.
B.An attacker could use SMB to move laterally from a compromised workstation to the server.
C.The workstation may be accessing the internet via the server.
D.The organization is vulnerable to a distributed denial-of-service (DDoS) attack.
AnswerB

SMB is commonly used for lateral movement in attacks.

Why this answer

The firewall log shows an inbound SMB connection (port 445) from a workstation (10.0.0.5) to a server (10.0.0.10). SMB is commonly used for file sharing and remote administration, and if the workstation is compromised, an attacker can leverage SMB to move laterally to the server, potentially gaining access to sensitive data or escalating privileges. This aligns with the risk of lateral movement, which is a primary concern in internal network segmentation.

Exam trap

The trap here is that candidates may focus on the protocol (SMB) and assume data exfiltration (Option A) without considering the direction of traffic (inbound to the server) and the typical use of SMB for lateral movement in internal networks.

How to eliminate wrong answers

Option A is wrong because SMB is a protocol for file sharing and remote administration, not typically used for exfiltration; exfiltration often uses HTTP/S, FTP, or DNS tunneling, and the log shows a single inbound connection, not a sustained outbound data transfer. Option C is wrong because the log shows traffic from the workstation to the server (inbound to the server), not the workstation accessing the internet via the server; internet access would typically involve outbound traffic to external IPs, not internal SMB connections. Option D is wrong because a DDoS attack requires a flood of traffic from multiple sources to overwhelm a target, and this log shows a single connection from one workstation to one server, with no indication of volume or distributed sources.

642
MCQeasy

After a risk assessment, the risk owner states that the residual risk for a specific asset is within the organization's risk tolerance. Which of the following BEST describes the action that should be taken?

A.Transfer the risk to a third party
B.Implement additional controls to reduce risk further
C.Formally accept the risk and document the decision
D.Reassess the risk using a quantitative method
AnswerC

Acceptance is appropriate when residual risk is within tolerance.

Why this answer

When the risk owner confirms that residual risk is within the organization's risk tolerance, the appropriate action is to formally accept the risk and document the decision. This is a standard risk treatment option (risk acceptance) under the ISACA Risk IT Framework, where no further controls are needed because the residual risk level is already acceptable. Documenting the acceptance ensures auditability and accountability for the decision.

Exam trap

The trap here is that candidates often confuse 'residual risk within tolerance' with a need to 'transfer' or 'mitigate further,' failing to recognize that risk acceptance is the correct treatment when the risk level is already acceptable.

How to eliminate wrong answers

Option A is wrong because transferring the risk (e.g., via cyber insurance or outsourcing) is unnecessary when the residual risk is already within tolerance; transfer would introduce additional cost and complexity without benefit. Option B is wrong because implementing additional controls would over-engineer the risk response, wasting resources on reducing risk below the accepted tolerance level, which violates the principle of cost-effective risk management. Option D is wrong because reassessing the risk using a quantitative method is not required; the risk has already been assessed and the residual risk is within tolerance—reassessment would be redundant and delay the decision.

643
Multi-Selecteasy

Which TWO are primary objectives of IT risk identification?

Select 2 answers
A.Assign risk owners
B.Determine risk appetite
C.Identify threats and vulnerabilities
D.Inventory assets
E.Implement controls
AnswersC, D

This is the direct objective of risk identification.

Why this answer

Option C is correct because IT risk identification primarily involves cataloging threats (e.g., malware, insider misuse) and vulnerabilities (e.g., unpatched CVEs, misconfigured firewalls) that could exploit weaknesses in assets. This step is foundational to building a risk register and precedes any analysis or treatment. Without identifying specific threats and vulnerabilities, subsequent risk assessment and mitigation efforts would lack a factual basis.

Exam trap

The trap here is that candidates confuse the outputs of risk identification (threats, vulnerabilities, assets) with later-stage activities like assigning ownership or implementing controls, leading them to select options A or E incorrectly.

644
MCQhard

An organization notices a spike in failed authentication attempts over the past week. This metric is best classified as which type of risk indicator?

A.Key Control Indicator (KCI)
B.Lagging indicator
C.Key Risk Indicator (KRI)
D.Compliance metric
AnswerC

KRIs are leading indicators that risk level is changing; failed authentication spike indicates potential attack.

Why this answer

A spike in failed authentication attempts is a direct measure of a risk condition (e.g., brute-force attacks or credential stuffing) that can lead to unauthorized access. This metric is best classified as a Key Risk Indicator (KRI) because it tracks changes in risk exposure over time, enabling proactive risk response. Unlike a KCI, which measures control effectiveness, or a lagging indicator, which reports past incidents, this metric signals an evolving threat in near real-time.

Exam trap

Cisco often tests the distinction between KRI and KCI by presenting a metric that could be interpreted as either, but the trap here is that failed authentication attempts directly measure risk exposure (KRI) rather than control performance (KCI), even though a control like account lockout might influence the metric.

How to eliminate wrong answers

Option A is wrong because a Key Control Indicator (KCI) measures the performance or effectiveness of a specific control (e.g., percentage of accounts with multi-factor authentication enabled), not the raw frequency of failed authentication attempts. Option B is wrong because a lagging indicator reports outcomes after they have occurred (e.g., number of successful breaches), whereas failed authentication attempts are a leading indicator of potential compromise. Option D is wrong because a compliance metric measures adherence to regulatory or policy requirements (e.g., password complexity rules), not the real-time operational risk of authentication failures.

645
MCQmedium

An organization is using the OCTAVE method for risk identification. Which activity is typically performed FIRST?

A.Identify threats
B.Identify critical assets
C.Identify vulnerabilities
D.Establish risk measurement criteria
AnswerD

OCTAVE starts with establishing criteria to frame the assessment.

Why this answer

In the OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) method, the first phase is 'Build Asset-Based Threat Profiles,' which begins with establishing risk measurement criteria (e.g., impact scales, likelihood definitions) to guide subsequent asset prioritization and threat identification. This ensures that all later activities are aligned with the organization's risk appetite and tolerance levels.

Exam trap

ISACA often tests the misconception that asset identification is always the first step in any risk assessment methodology, but OCTAVE specifically requires establishing risk measurement criteria first to provide a consistent evaluation framework.

How to eliminate wrong answers

Option A is wrong because identifying threats occurs later in the OCTAVE process, after critical assets and risk measurement criteria have been established to provide context for threat analysis. Option B is wrong while identifying critical assets is an early step, it is performed after risk measurement criteria are defined to ensure assets are evaluated consistently against organizational risk thresholds. Option C is wrong because identifying vulnerabilities is part of the later 'Identify Vulnerabilities' phase, which depends on prior asset and threat identification to focus vulnerability analysis on relevant areas.

646
Multi-Selectmedium

A risk manager is facilitating a risk identification workshop for a new cloud migration initiative. Which TWO techniques are most effective for identifying potential IT risks at this stage?

Select 2 answers
A.Calculating the annualized loss expectancy (ALE) for each identified risk
B.Interviewing business unit managers and IT architects
C.Conducting a cost-benefit analysis of security controls
D.Reviewing post-incident reports from previous cloud migrations
E.Performing a vulnerability scan on the existing infrastructure
AnswersB, D

Stakeholder interviews elicit operational threats and business concerns.

Why this answer

Interviewing business unit managers and IT architects (Option B) is effective because it leverages domain expertise to surface operational and technical risks specific to the cloud migration, such as data residency constraints, API dependencies, or shared responsibility model gaps. This qualitative technique captures tacit knowledge that quantitative methods or automated scans cannot, making it ideal for the early identification stage.

Exam trap

The trap here is confusing risk identification (discovering what could go wrong) with risk analysis (quantifying likelihood/impact) or risk evaluation (comparing against criteria), leading candidates to select ALE calculation or cost-benefit analysis as identification techniques.

647
MCQhard

A multinational corporation uses a common identity management system (IdM) across all subsidiaries. During a risk assessment, it is discovered that the IdM system has a critical vulnerability that could allow privilege escalation. The patch requires a 4-hour downtime. The risk manager must decide the best course of action considering the organization's risk appetite of 'low' and the fact that the IdM system is critical for business operations. Which of the following is the BEST approach?

A.Implement a compensating control and delay patching.
B.Schedule the patch during the next maintenance window.
C.Apply the patch immediately during business hours.
D.Accept the risk and postpone patching indefinitely.
AnswerB

This minimizes disruption while addressing the vulnerability in a timely manner.

Why this answer

Option B is correct because scheduling the patch during the next maintenance window aligns with the organization's low risk appetite by addressing the critical vulnerability in a controlled manner, while minimizing operational disruption. The IdM system is critical for business operations, so applying the patch immediately during business hours (Option C) would cause unacceptable downtime, and delaying indefinitely (Option D) would violate the low risk appetite. A 4-hour downtime is typical for identity management systems like Active Directory or LDAP, where patching requires a reboot or service restart, and a planned maintenance window allows for proper testing and rollback procedures.

Exam trap

The trap here is that candidates may choose Option C (immediate patching) thinking it is the most secure response, but they overlook the criticality of the IdM system and the unacceptable operational impact of a 4-hour downtime during business hours, which violates the organization's low risk appetite by prioritizing security over business continuity.

How to eliminate wrong answers

Option A is wrong because implementing a compensating control (e.g., additional monitoring or access restrictions) delays patching and does not eliminate the root cause of the privilege escalation vulnerability, which could still be exploited if the compensating control fails; this approach is typically used when patching is not immediately feasible, but here a maintenance window is available. Option C is wrong because applying the patch immediately during business hours would cause a 4-hour downtime for a critical IdM system, disrupting authentication for all subsidiaries and potentially violating business continuity requirements; this is not aligned with a low risk appetite that prioritizes operational stability. Option D is wrong because accepting the risk and postponing patching indefinitely directly contradicts the organization's low risk appetite, as it leaves a critical privilege escalation vulnerability unmitigated, increasing the likelihood of a security breach that could compromise the entire identity infrastructure.

648
MCQeasy

A risk practitioner is using a 5×5 heat map with likelihood and impact ratings. Which of the following is a key advantage of this qualitative risk analysis approach?

A.It provides objective, financially meaningful results.
B.It eliminates the need for expert judgment in risk assessment.
C.It is quick and easy to communicate to stakeholders.
D.It allows direct comparison of risk levels across different organizations.
AnswerC

Heat maps are simple to understand and can be produced rapidly.

Why this answer

Option C is correct because qualitative risk analysis using a 5×5 heat map is designed to be quick to perform and easy to communicate visually to non-technical stakeholders. The color-coded matrix (e.g., red for high risk, green for low risk) allows immediate understanding of risk priorities without requiring complex calculations, making it ideal for initial risk assessments and board-level reporting.

Exam trap

The trap here is that candidates often confuse qualitative analysis with providing objective financial data (Option A), but qualitative methods like heat maps are inherently subjective and ordinal, not monetary.

How to eliminate wrong answers

Option A is wrong because qualitative analysis does not provide objective, financially meaningful results; it relies on subjective ordinal scales (e.g., high, medium, low) rather than monetary values or quantitative metrics like Annualized Loss Expectancy (ALE). Option B is wrong because qualitative analysis heavily depends on expert judgment to assign likelihood and impact ratings; it does not eliminate the need for expertise. Option D is wrong because the 5×5 heat map uses organization-specific definitions for likelihood and impact scales, which are not standardized across different organizations, preventing direct comparison of risk levels.

649
MCQeasy

In a risk-aware culture, which of the following behaviors is MOST encouraged?

A.Focusing only on compliance requirements
B.Assigning blame to individuals for security breaches
C.Hiding minor incidents to maintain performance metrics
D.Reporting security incidents without fear of blame
AnswerD

Blame-free reporting promotes transparency and learning.

Why this answer

In a risk-aware culture, the primary goal is to encourage transparency and continuous improvement in risk management. Reporting security incidents without fear of blame (Option D) is most encouraged because it enables timely detection, analysis, and remediation of threats, directly supporting the Risk Response and Reporting domain by fostering an environment where incidents are escalated promptly rather than concealed.

Exam trap

The trap here is that candidates may confuse a risk-aware culture with a compliance-driven or blame-oriented culture, mistakenly thinking that strict accountability or adherence to rules is the primary driver, rather than the psychological safety that enables open incident reporting.

How to eliminate wrong answers

Option A is wrong because focusing only on compliance requirements ignores residual risks and emerging threats that are not covered by regulatory checklists, leading to a false sense of security. Option B is wrong because assigning blame to individuals for security breaches discourages reporting and shifts focus from systemic root-cause analysis to punitive measures, which undermines a learning culture. Option C is wrong because hiding minor incidents to maintain performance metrics violates the principle of transparency and can allow small issues to escalate into major breaches, compromising the organization's risk posture.

650
Multi-Selectmedium

Which TWO of the following are effective risk mitigation strategies for reducing the likelihood of a ransomware attack?

Select 2 answers
A.Installing intrusion detection systems
B.Conducting periodic vulnerability scans
C.Regularly backing up critical data
D.Deploying network segmentation
E.Implementing user awareness training
AnswersD, E

Segmentation limits the spread of ransomware, reducing likelihood of widespread infection.

Why this answer

Deploying network segmentation (D) reduces the likelihood of a ransomware attack by limiting lateral movement. If an endpoint is compromised, segmentation using VLANs or firewall rules (e.g., 802.1Q, ACLs) prevents the ransomware from spreading to critical systems, thereby reducing the attack surface and the probability of widespread encryption. User awareness training (E) directly reduces likelihood by teaching users to recognize phishing emails and malicious attachments, which are the primary initial vectors for ransomware delivery.

Exam trap

The trap here is that candidates confuse recovery controls (backups) with likelihood-reducing mitigations, or they mistake detective controls (IDS, vulnerability scans) for preventive measures that lower the probability of an attack.

651
MCQeasy

Which of the following is the primary purpose of a risk heat map in a risk report?

A.To track compliance with regulations
B.To detail remediation plans
C.To prioritize risks based on likelihood and impact
D.To show control performance over time
AnswerC

Heat maps use likelihood and impact to rank risks, aiding prioritization.

Why this answer

A risk heat map visually plots risks on a grid based on their likelihood (probability) and impact (consequence), enabling stakeholders to quickly identify which risks require immediate attention. This prioritization is the primary purpose because it directly supports risk response decisions by highlighting high-priority risks that exceed the organization's risk appetite.

Exam trap

The trap here is that candidates often confuse a risk heat map with a control effectiveness dashboard, mistakenly thinking its purpose is to show control performance over time, when in fact it is solely a prioritization tool based on likelihood and impact.

How to eliminate wrong answers

Option A is wrong because tracking compliance with regulations is a function of compliance dashboards or audit reports, not a risk heat map, which focuses on risk prioritization rather than regulatory adherence. Option B is wrong because detailing remediation plans is the purpose of a risk treatment plan or action tracker, while a heat map only shows the current risk posture without prescribing specific remediation steps. Option D is wrong because showing control performance over time is the role of control effectiveness metrics or trend charts, whereas a heat map provides a static snapshot of risk levels at a point in time, not historical control performance.

652
MCQeasy

A company has implemented a new cloud-based customer relationship management (CRM) system. The IT risk manager is tasked with identifying risks related to this system. Which of the following is the MOST important risk identification technique to use initially?

A.Conducting a series of interviews with key users of the CRM
B.Performing a penetration test on the CRM environment
C.Facilitating a risk workshop with IT, business, and security stakeholders
D.Automated vulnerability scanning of the CRM system
AnswerC

A risk workshop enables comprehensive identification of risks across people, process, and technology.

Why this answer

Option B is correct because a risk workshop brings together stakeholders (IT, business, security) to identify risks collaboratively, which is effective for a new system. Option A (automated scanning) is useful for known vulnerabilities but not for business process risks. Option C (penetration testing) is for security validation, not initial identification.

Option D (interviewing key users) is less comprehensive than a workshop.

653
MCQeasy

Which type of control is primarily designed to prevent an unwanted event from occurring?

A.Corrective control
B.Detective control
C.Directive control
D.Preventive control
AnswerD

Preventive controls aim to stop threats from happening.

Why this answer

Preventive controls are implemented to deter or avoid potential risks before they materialize.

654
Multi-Selecthard

Which THREE of the following are key indicators that a risk identification process is effective? (Choose three.)

Select 3 answers
A.The process identifies all known vulnerabilities
B.The process covers all critical business processes
C.The process involves input from key stakeholders across the organization
D.The process is repeated at regular intervals or triggered by significant changes
E.The process is completed within budget
AnswersB, C, D

Ensures comprehensive risk identification.

Why this answer

Option B is correct because an effective risk identification process must cover all critical business processes to ensure that risks are identified across the entire value chain. Without this coverage, significant risks in core operations could be missed, leading to incomplete risk assessments and potential business disruptions. This aligns with the CRISC focus on aligning IT risk management with business objectives.

Exam trap

The trap here is that candidates confuse project management metrics (like budget or schedule) with risk management effectiveness indicators, leading them to select 'completed within budget' instead of recognizing that coverage, stakeholder input, and timeliness are the true measures of a robust risk identification process.

655
MCQmedium

The exhibit shows a log entry from a GRC system. Which of the following is the MOST significant concern regarding this risk score update?

A.The control effectiveness status was not updated alongside the risk score
B.The inherent risk score decreased without any change in the business environment
C.The comment does not provide sufficient detail on the mitigation project
D.The risk owner was not notified of the change
AnswerA

Without updating control effectiveness, residual risk cannot be accurately assessed.

Why this answer

The risk score update without a corresponding update to the control effectiveness status creates a data integrity issue in the GRC system. Since the residual risk score is calculated as inherent risk multiplied by (1 - control effectiveness), changing the score without adjusting the effectiveness metric means the system's risk calculation is now inconsistent and unreliable for monitoring and reporting purposes.

Exam trap

Cisco often tests the candidate's ability to identify data integrity issues in risk calculations rather than focusing on procedural or documentation details, so the trap here is that candidates may choose the comment detail option (C) because it seems like a common audit finding, but the core issue is the mathematical inconsistency in the risk score update.

How to eliminate wrong answers

Option B is wrong because a decrease in inherent risk score could be legitimate if the business environment changed (e.g., new compensating controls, reduced asset value), and the question does not state that no change occurred. Option C is wrong because while a detailed comment is good practice, the lack of detail is not the most significant concern; the core issue is the mismatch between the score and the control effectiveness status. Option D is wrong because notifying the risk owner is an operational step, but the immediate and most significant concern is the data inconsistency in the GRC system that undermines the accuracy of risk reporting.

656
MCQmedium

A security control failed to prevent unauthorized access to a sensitive database. The risk owner has been notified. What should the risk practitioner do NEXT?

A.Recalculate the residual risk level and update the risk register
B.Escalate the issue to the board of directors
C.Apply a patch to the database system immediately
D.Perform a root cause analysis on the control failure
AnswerA

Control failure changes residual risk; must reassess and document.

Why this answer

After a control failure, the risk practitioner must first reassess the residual risk level, which reflects the remaining risk after considering the failed control's ineffectiveness. Updating the risk register with the new residual risk ensures that the organization has an accurate, current view of its risk posture, which is a fundamental requirement of the risk monitoring and reporting process. This step aligns with the CRISC framework's emphasis on continuous risk assessment and documentation before any remediation or escalation actions.

Exam trap

The trap here is that candidates often jump to a technical fix (patching) or a detailed analysis (root cause) without first updating the risk register, which is the required first step in the risk monitoring and reporting process to maintain an accurate risk posture.

How to eliminate wrong answers

Option B is wrong because escalating directly to the board of directors is premature; the board requires a complete risk assessment and remediation plan, not just a notification of a control failure. Option C is wrong because applying a patch immediately is a reactive, operational fix that bypasses the necessary risk analysis and change management process, and it may not address the root cause or other compensating controls. Option D is wrong because performing a root cause analysis, while valuable, is a subsequent step that should follow the immediate risk recalculation and register update to ensure the risk is properly documented and prioritized.

657
MCQmedium

A manufacturing company uses IoT sensors on the factory floor to monitor equipment performance. The sensors transmit data to a central server via Wi-Fi. During a risk identification workshop, the operations manager reveals that some sensors are operating on outdated firmware with known vulnerabilities. The IT director proposes replacing all sensors at a high cost. The risk team notes that a breach could cause production downtime but the sensors only collect non-sensitive operational data. The company has a low tolerance for downtime. What should the risk team identify as the most critical risk?

A.Operational disruption from a potential cyber attack exploiting sensor vulnerabilities.
B.Legal liability from non-compliance with safety standards.
C.Reputational damage from a data leak.
D.Financial loss from replacing sensors.
AnswerA

Downtime is a key impact for the company.

Why this answer

The most critical risk is operational disruption from a cyber attack exploiting the known vulnerabilities in the outdated IoT sensor firmware. Since the company has a low tolerance for downtime, any breach that causes production stoppage directly impacts business continuity, outweighing the non-sensitive nature of the data collected. The sensors' Wi-Fi connectivity provides an attack surface for lateral movement or denial-of-service, making exploitation a high-probability, high-impact event.

Exam trap

The trap here is that candidates focus on data sensitivity (reputation or legal liability) instead of operational impact, failing to recognize that for a manufacturing company with low downtime tolerance, production disruption is the most critical risk even if the data is non-sensitive.

How to eliminate wrong answers

Option B is wrong because the scenario does not mention any safety standards or regulatory compliance requirements; the sensors collect non-sensitive operational data, not safety-critical parameters. Option C is wrong because the sensors only collect non-sensitive operational data, so a data leak would not cause reputational damage; the risk is operational, not data confidentiality. Option D is wrong because the financial loss from replacing sensors is a cost of mitigation, not a risk; the risk is the potential operational disruption, and the high replacement cost is a factor in risk treatment decisions, not the risk itself.

658
MCQeasy

An organization defines its risk appetite as 'no more than one major security incident per year.' During the year, a major incident occurs. The monitoring team reports this to the risk committee. What should be the NEXT step?

A.Immediately change the risk appetite to tolerate two incidents per year.
B.Review the incident to determine if risk appetite needs adjustment.
C.Report the breach to the board of directors.
D.Accept the incident and continue with current controls.
AnswerB

Appropriate escalation and review.

Why this answer

Option C is correct because the risk committee should review the incident and consider whether to adjust risk appetite or implement additional controls. Option A is wrong because reporting to board is premature without analysis. Option B is wrong because accepting without analysis is passive.

Option D is wrong because change may not be needed; appetite may be reaffirmed.

659
Multi-Selecthard

An organization is implementing continuous monitoring for its critical systems. Which THREE of the following activities are examples of continuous monitoring? (Select three.)

Select 3 answers
A.Annual internal audit of access controls
B.Weekly vulnerability scanning of all servers
C.Real-time monitoring of firewall logs for anomalies
D.Automated correlation of security events via SIEM
E.Quarterly review of user access rights by managers
AnswersB, C, D

Weekly scanning can be considered continuous if automated.

Why this answer

Weekly vulnerability scanning of all servers is a continuous monitoring activity because it occurs at a regular, frequent interval, enabling the organization to identify and remediate vulnerabilities in a timely manner. This aligns with the principle of ongoing risk response and reporting, as it provides recurring visibility into the security posture of critical systems.

Exam trap

The trap here is that candidates often confuse periodic reviews (like quarterly or annual audits) with continuous monitoring, failing to recognize that continuous monitoring requires frequent, automated, or real-time data collection rather than infrequent manual checks.

660
MCQmedium

A mid-sized retail company operates 50 stores across three regions. Each store uses a point-of-sale (POS) system that transmits credit card transactions to a centralized payment processor. The company recently deployed a new SaaS-based inventory management application that connects to the POS system via API. The IT department has no formal process for tracking third-party connections. The risk manager suspects that unknown or unauthorized connections may exist. During a risk identification review, the risk manager discovers that the POS vendor's API documentation was shared with the inventory SaaS provider without a non-disclosure agreement (NDA). Additionally, the API keys for the POS system are stored in plain text configuration files on the inventory SaaS application server. The company's security policy requires encryption of all sensitive data in transit and at rest. Which of the following should the risk manager prioritize as the HIGHEST risk scenario to document in the risk register?

A.Exposure of POS system API keys stored in plain text on the inventory SaaS server
B.The POS system may not be PCI DSS compliant due to API sharing without NDA
C.No formal process for tracking third-party connections
D.The lack of an NDA with the inventory SaaS provider
AnswerA

Direct exposure of credentials that access payment systems, leading to high risk of data breach.

Why this answer

The plain-text storage of API keys on the inventory SaaS server represents an active, exploitable vulnerability that directly violates the company's encryption-at-rest policy. Unlike the other options, this is a confirmed technical control failure that could allow an attacker to impersonate the POS system, intercept or manipulate credit card transactions, and compromise the entire payment processing pipeline. The risk is immediate and high-impact because the keys are already exposed, not merely a procedural gap or missing legal agreement.

Exam trap

The trap here is that candidates often prioritize procedural or compliance gaps (like missing NDAs or lack of formal processes) over a concrete, exploitable technical vulnerability, failing to recognize that a realized risk with immediate impact must be documented before addressing root causes.

How to eliminate wrong answers

Option B is wrong because PCI DSS compliance is a regulatory requirement, not a risk scenario; the lack of an NDA does not automatically make the POS system non-compliant, and PCI DSS focuses on technical controls (e.g., encryption, access control) rather than contractual agreements. Option C is wrong because the absence of a formal process for tracking third-party connections is a governance weakness, not a specific, realized risk scenario with a clear threat and vulnerable asset; it is a root cause, not a risk event to document. Option D is wrong because the lack of an NDA is a legal and contractual gap, not a technical risk; while it may lead to intellectual property exposure, it does not directly expose sensitive data or systems to immediate compromise like the plain-text API keys do.

661
Multi-Selectmedium

According to the FAIR model, which TWO of the following are primary components used to calculate probable financial impact of a cyber incident?

Select 2 answers
A.Loss Magnitude (LM)
B.Threat intelligence feed
C.Control effectiveness score
D.Loss Event Frequency (LEF)
E.Vulnerability severity score
AnswersA, D

LM estimates the financial impact per loss event.

Why this answer

FAIR model decomposes risk into Loss Event Frequency (LEF) and Loss Magnitude (LM). These two components are multiplied to derive risk.

662
Multi-Selecthard

A risk practitioner is calculating the residual risk for a critical asset. Which THREE factors should be considered?

Select 3 answers
A.Cost of controls
B.Control design adequacy
C.Risk appetite
D.Inherent risk level
E.Control operating effectiveness
AnswersB, D, E

Design adequacy determines if controls can address the risk.

Why this answer

Residual risk is the risk remaining after controls are applied. To calculate it, you must know the inherent risk level (the risk before controls) and then assess how effectively controls reduce that risk. Control design adequacy and operating effectiveness determine how much the inherent risk is mitigated, directly impacting the residual risk calculation.

Exam trap

The trap here is confusing factors that influence the decision to accept residual risk (like risk appetite and cost of controls) with the direct inputs required to calculate the residual risk level itself.

663
MCQmedium

A global company uses a critical third-party vendor for data processing. The inherent risk is high, but the vendor has implemented robust controls. However, due to recent geopolitical instability, the vendor's physical location is at risk. The risk owner recommends purchasing a business continuity insurance policy. Which risk response is being applied?

A.Transfer
B.Avoid
C.Accept
D.Mitigate
AnswerA

Insurance transfers the risk to a third party.

Why this answer

Option A is correct because purchasing insurance transfers the financial risk to the insurer. Options B, C, and D do not describe transfer via insurance.

664
MCQmedium

An organization is implementing COBIT 2019 and the board has requested assurance that risk management activities are aligned with business objectives. Which governance objective is primarily focused on ensuring risk optimization through evaluation, direction, and monitoring?

A.EDM01 — Ensure Governance Framework Setting and Maintenance
B.EDM02 — Ensure Benefits Delivery
C.EDM03 — Ensure Risk Optimization
D.EDM04 — Ensure Resource Optimization
AnswerC

Correct. EDM03 directly addresses the evaluation, direction, and monitoring of risk management.

Why this answer

EDM03 (Ensure Risk Optimization) is the COBIT governance objective that specifically addresses the evaluation, direction, and monitoring of risk management to align with enterprise objectives.

665
MCQhard

After a major system upgrade, the control testing team reports that a critical automated control failed intermittently. The control owner states it's a temporary glitch. What is the best course of action?

A.Replace the control with a manual one.
B.Perform a root cause analysis before deeming it effective.
C.Increase frequency of monitoring.
D.Accept the risk and document the finding.
AnswerB

Root cause analysis helps determine if the failure is transient or indicative of a systemic issue.

Why this answer

The correct answer is B because an intermittent failure in a critical automated control requires a root cause analysis (RCA) to determine whether the issue is a transient software bug, a configuration error, or a deeper systemic flaw. Without understanding the root cause, the control cannot be deemed effective, and simply replacing, monitoring, or accepting the risk could leave the organization exposed to material control failures. The RCA should examine system logs, error codes, and change management records to isolate the intermittent behavior.

Exam trap

The trap here is that candidates may assume a temporary glitch is benign and choose to accept the risk (D) or increase monitoring (C), but the CRISC exam emphasizes that any control failure—especially intermittent ones—must be investigated to ensure the control's design is sound and the risk is properly understood.

How to eliminate wrong answers

Option A is wrong because replacing an automated control with a manual one introduces human error, latency, and scalability issues, and does not address the underlying technical glitch—it may also violate compliance requirements for automated controls. Option C is wrong because increasing monitoring frequency only detects the failure more often but does not prevent or resolve the intermittent issue, leading to false confidence and potential missed failures during monitoring gaps. Option D is wrong because accepting the risk without understanding the root cause is premature and violates the principle of informed risk acceptance; the finding must be analyzed to determine if the risk is truly acceptable or requires remediation.

666
MCQmedium

After a significant cybersecurity incident, the board requests a report on the effectiveness of the security controls that were in place. Which reporting approach would BEST demonstrate the controls' performance?

A.List all controls and their test results
B.Show the number of vulnerabilities patched
C.Provide a summary of the incident timeline
D.Compare control test results against defined KRIs and risk appetite
AnswerD

This links control outcomes to risk tolerance, demonstrating effectiveness.

Why this answer

Option D is correct because comparing control test results against defined Key Risk Indicators (KRIs) and risk appetite directly demonstrates whether the controls are operating within acceptable risk thresholds. This approach provides the board with a clear, quantitative assessment of control effectiveness relative to the organization's risk tolerance, which is the core objective of risk and control monitoring and reporting.

Exam trap

The trap here is that candidates often confuse operational metrics (like patching counts or incident timelines) with control effectiveness reporting, which must be tied to risk appetite and KRIs to demonstrate whether controls are actually managing risk within acceptable boundaries.

How to eliminate wrong answers

Option A is wrong because merely listing all controls and their test results provides raw data without context, failing to show how the controls performed against the organization's risk appetite or KRIs. Option B is wrong because showing the number of vulnerabilities patched is a metric of remediation activity, not a measure of control effectiveness; it does not indicate whether the controls prevented or detected the incident. Option C is wrong because providing a summary of the incident timeline describes what happened during the incident but does not evaluate whether the controls were effective in mitigating the risk.

667
MCQhard

A third-party vendor has been tiered as 'high risk' due to access to sensitive customer data. The vendor's SOC 2 Type II report has a qualified opinion on security controls. The vendor risk appetite requires unqualified SOC 2 Type II for critical vendors. What is the MOST appropriate risk response?

A.Accept the qualified report and continue monitoring
B.Implement additional compensating controls on the organization's side
C.Require the vendor to remediate the issues and provide an updated report within a defined timeframe
D.Downgrade the vendor to medium risk tier
AnswerC

This addresses the gap and aligns with risk appetite.

Why this answer

If a vendor does not meet the minimum security requirements for its tier, and the organization cannot accept the risk, the appropriate response is to remediate by requiring the vendor to address the qualification or find an alternative vendor that meets the requirements.

668
Multi-Selectmedium

An organization is migrating on-premises applications to a public cloud. Which THREE of the following should be considered as key risk identification activities?

Select 3 answers
A.Mapping network security group rules to existing firewall policies.
B.Performing a cost-benefit analysis of the migration.
C.Calculating the total cost of ownership.
D.Identifying data residency and compliance requirements.
E.Assessing shared responsibility model gaps.
AnswersA, D, E

Network mapping identifies potential access control risks.

Why this answer

Mapping network security group (NSG) rules to existing firewall policies is a key risk identification activity because it ensures that security controls are correctly translated to the cloud environment. Misconfigured NSG rules can lead to unintended network exposure, such as open ports or overly permissive access, which directly increases the attack surface. This mapping identifies gaps between on-premises security postures and cloud-native security constructs, a critical step in risk identification during migration.

Exam trap

The trap here is that candidates often confuse financial analysis activities (like cost-benefit analysis or TCO) with risk identification, but CRISC focuses on identifying threats, vulnerabilities, and control gaps, not cost optimization.

669
MCQeasy

During an IT risk assessment, a risk analyst discovers that a server contains sensitive customer data but is not included in the organization's vulnerability scanning program. What should the analyst do first?

A.Add the server to the high-risk register immediately.
B.Notify the vulnerability scan administrator to include the server in the next scan.
C.Perform a manual vulnerability assessment on the server.
D.Request an exception from management for the server to be exempt from scanning.
AnswerB

Direct action to include the server is the most immediate and effective response.

Why this answer

The analyst should report the missing server to the scan administrator to ensure it is included (Option B), as the immediate need is to close the scanning gap.

670
MCQeasy

An organization is conducting a vulnerability assessment of its IT assets. Which of the following sources is MOST authoritative for identifying known software vulnerabilities?

A.DISA STIGs
B.OWASP Top 10
C.NVD (National Vulnerability Database)
D.CIS Benchmarks
AnswerC

NVD is the primary source for CVE data.

Why this answer

The National Vulnerability Database (NVD) is the U.S. government repository of standards-based vulnerability management data, including CVEs, making it the most authoritative source.

671
MCQeasy

A retail company is planning to launch a mobile payment app. The risk team is identifying potential risks related to payment card industry (PCI) compliance. The app will process credit card numbers. The development team has implemented tokenization to replace card numbers with tokens, but the token vault is located on-premises. The network architect proposes exposing the token vault to the internet for mobile app access. The compliance officer is concerned about PCI DSS requirements. The risk manager needs to identify the highest risk related to this setup. What is the primary risk?

A.Potential loss of tokens due to hardware failure.
B.Exposure of the token vault to the internet may violate PCI DSS requirements and lead to a data breach.
C.Increased latency due to tokenization.
D.High cost of tokenization infrastructure.
AnswerB

Direct exposure to internet is a major security and compliance risk.

Why this answer

The primary risk is that exposing the token vault to the internet directly violates PCI DSS Requirement 3.4, which mandates that stored cardholder data must be rendered unreadable. While tokenization replaces PANs with tokens, the vault itself contains the sensitive PAN-to-token mapping. Internet exposure of this vault creates an attack surface for unauthorized access, potentially leading to a massive data breach and non-compliance penalties.

Exam trap

The trap here is that candidates may focus on operational risks like latency or cost, but the CRISC exam emphasizes that PCI DSS compliance and data breach exposure are the highest risks when cardholder data or its mapping is exposed to the internet.

How to eliminate wrong answers

Option A is wrong because hardware failure is a general availability risk, not the highest risk here; PCI DSS focuses on data protection, not hardware redundancy. Option C is wrong because increased latency from tokenization is a performance concern, not a compliance or security risk that could lead to a breach. Option D is wrong because cost is a business risk, not the primary security or compliance risk; PCI DSS does not mandate cost efficiency.

672
MCQhard

A key control indicator (KCI) for a critical access control shows a deficiency rate of 12% for the quarter, exceeding the target of 5%. Which of the following should be the risk practitioner's PRIMARY action?

A.Investigate root causes of the high deficiency rate
B.Escalate the deficiency to the board immediately
C.Implement compensating controls to reduce risk
D.Increase the frequency of control testing
AnswerA

Understanding why the control is failing is the primary step before any remediation or reporting.

Why this answer

The primary action is to investigate root causes because a KCI deficiency rate of 12% against a 5% target indicates a systemic control failure. Without understanding why the access control is failing (e.g., misconfigured role-based access control (RBAC) rules, stale user entitlements, or bypassed multi-factor authentication), any subsequent remediation may be ineffective. Root cause analysis ensures the risk practitioner addresses the underlying issue rather than applying a superficial fix.

Exam trap

The trap here is that candidates often choose 'implement compensating controls' or 'increase testing frequency' because they focus on immediate risk reduction, but the CRISC exam emphasizes that understanding the root cause is the foundational step before any remediation action.

How to eliminate wrong answers

Option B is wrong because escalating a 12% deficiency rate directly to the board without first performing root cause analysis bypasses the risk management process; the board requires actionable insights, not raw metrics. Option C is wrong because implementing compensating controls before understanding the root cause may introduce unnecessary complexity and cost, and could mask the real problem rather than solve it. Option D is wrong because increasing the frequency of control testing only provides more data points on the same failing control; it does not reduce the deficiency rate or address why the control is underperforming.

673
MCQmedium

A risk manager notices that a key risk indicator (KRI) has been consistently above the threshold for three months. What should be the first action?

A.Adjust the threshold to a higher value.
B.Implement additional controls immediately.
C.Review the KRI definition and data source for accuracy.
D.Escalate to senior management immediately.
AnswerC

Ensuring the KRI is correctly measured and sourced is fundamental before any action.

Why this answer

Before escalating, it is important to verify the accuracy of the KRI data and definition. Option B is correct because data integrity issues are a common cause of false alarms. Option A is premature without verification.

Option C incorrectly adjusts the threshold. Option D is reactive without understanding the root cause.

674
MCQeasy

An organization is conducting a business impact analysis (BIA) for its core banking system. Which of the following is the PRIMARY metric used to determine the urgency of recovery?

A.Service Level Agreement (SLA)
B.Recovery Time Objective (RTO)
C.Maximum Tolerable Downtime (MTD)
D.Recovery Point Objective (RPO)
AnswerC

MTD defines the maximum acceptable downtime before severe impact.

Why this answer

The Maximum Tolerable Downtime (MTD) is the primary metric for determining the urgency of recovery because it defines the total duration a business process can be unavailable before causing irreparable harm. For a core banking system, MTD directly reflects the maximum acceptable outage period from the business perspective, driving all recovery planning priorities.

Exam trap

The trap here is confusing RTO with MTD: candidates often pick RTO because it directly relates to recovery speed, but MTD is the business-driven ceiling that defines the urgency, while RTO is merely a derived target.

How to eliminate wrong answers

Option A is wrong because a Service Level Agreement (SLA) is a contractual commitment for normal operations, not a metric for recovery urgency during a disaster. Option B is wrong because Recovery Time Objective (RTO) is a target derived from MTD, not the primary determinant of urgency; it specifies the time within which recovery must occur but is subordinate to the business's maximum tolerable downtime. Option D is wrong because Recovery Point Objective (RPO) measures acceptable data loss (time between backups), not the urgency of system recovery after an outage.

675
MCQmedium

The risk team is evaluating the cost-effectiveness of a proposed control that will reduce the annualized loss expectancy (ALE) for a cyber attack from $500,000 to $100,000. The annual cost of the control is $150,000. What is the net benefit of implementing this control?

A.$400,000
B.$250,000
C.$150,000
D.$350,000
AnswerB

Correct: $400,000 reduction minus $150,000 cost equals $250,000 net benefit.

Why this answer

The ALE reduction is $400,000. Subtracting the control cost of $150,000 gives a net benefit of $250,000.

Page 8

Page 9 of 14

Page 10