CCNA IT Risk Identification Questions

49 of 124 questions · Page 2/2 · IT Risk Identification · Answers revealed

76
MCQmedium

Refer to the exhibit. During a risk identification exercise for the internal network, the risk manager reviews this firewall log entry. Which of the following risks is MOST directly suggested by this log entry?

A.Sensitive data is being exfiltrated via SMB.
B.An attacker could use SMB to move laterally from a compromised workstation to the server.
C.The workstation may be accessing the internet via the server.
D.The organization is vulnerable to a distributed denial-of-service (DDoS) attack.
AnswerB

SMB is commonly used for lateral movement in attacks.

Why this answer

The firewall log shows an inbound SMB connection (port 445) from a workstation (10.0.0.5) to a server (10.0.0.10). SMB is commonly used for file sharing and remote administration, and if the workstation is compromised, an attacker can leverage SMB to move laterally to the server, potentially gaining access to sensitive data or escalating privileges. This aligns with the risk of lateral movement, which is a primary concern in internal network segmentation.

Exam trap

The trap here is that candidates may focus on the protocol (SMB) and assume data exfiltration (Option A) without considering the direction of traffic (inbound to the server) and the typical use of SMB for lateral movement in internal networks.

How to eliminate wrong answers

Option A is wrong because SMB is a protocol for file sharing and remote administration, not typically used for exfiltration; exfiltration often uses HTTP/S, FTP, or DNS tunneling, and the log shows a single inbound connection, not a sustained outbound data transfer. Option C is wrong because the log shows traffic from the workstation to the server (inbound to the server), not the workstation accessing the internet via the server; internet access would typically involve outbound traffic to external IPs, not internal SMB connections. Option D is wrong because a DDoS attack requires a flood of traffic from multiple sources to overwhelm a target, and this log shows a single connection from one workstation to one server, with no indication of volume or distributed sources.

77
Multi-Selecteasy

Which TWO are primary objectives of IT risk identification?

Select 2 answers
A.Assign risk owners
B.Determine risk appetite
C.Identify threats and vulnerabilities
D.Inventory assets
E.Implement controls
AnswersC, D

This is the direct objective of risk identification.

Why this answer

Option C is correct because IT risk identification primarily involves cataloging threats (e.g., malware, insider misuse) and vulnerabilities (e.g., unpatched CVEs, misconfigured firewalls) that could exploit weaknesses in assets. This step is foundational to building a risk register and precedes any analysis or treatment. Without identifying specific threats and vulnerabilities, subsequent risk assessment and mitigation efforts would lack a factual basis.

Exam trap

The trap here is that candidates confuse the outputs of risk identification (threats, vulnerabilities, assets) with later-stage activities like assigning ownership or implementing controls, leading them to select options A or E incorrectly.

78
MCQmedium

An organization is using the OCTAVE method for risk identification. Which activity is typically performed FIRST?

A.Identify threats
B.Identify critical assets
C.Identify vulnerabilities
D.Establish risk measurement criteria
AnswerD

OCTAVE starts with establishing criteria to frame the assessment.

Why this answer

In the OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) method, the first phase is 'Build Asset-Based Threat Profiles,' which begins with establishing risk measurement criteria (e.g., impact scales, likelihood definitions) to guide subsequent asset prioritization and threat identification. This ensures that all later activities are aligned with the organization's risk appetite and tolerance levels.

Exam trap

ISACA often tests the misconception that asset identification is always the first step in any risk assessment methodology, but OCTAVE specifically requires establishing risk measurement criteria first to provide a consistent evaluation framework.

How to eliminate wrong answers

Option A is wrong because identifying threats occurs later in the OCTAVE process, after critical assets and risk measurement criteria have been established to provide context for threat analysis. Option B is wrong while identifying critical assets is an early step, it is performed after risk measurement criteria are defined to ensure assets are evaluated consistently against organizational risk thresholds. Option C is wrong because identifying vulnerabilities is part of the later 'Identify Vulnerabilities' phase, which depends on prior asset and threat identification to focus vulnerability analysis on relevant areas.

79
Multi-Selectmedium

A risk manager is facilitating a risk identification workshop for a new cloud migration initiative. Which TWO techniques are most effective for identifying potential IT risks at this stage?

Select 2 answers
A.Calculating the annualized loss expectancy (ALE) for each identified risk
B.Interviewing business unit managers and IT architects
C.Conducting a cost-benefit analysis of security controls
D.Reviewing post-incident reports from previous cloud migrations
E.Performing a vulnerability scan on the existing infrastructure
AnswersB, D

Stakeholder interviews elicit operational threats and business concerns.

Why this answer

Interviewing business unit managers and IT architects (Option B) is effective because it leverages domain expertise to surface operational and technical risks specific to the cloud migration, such as data residency constraints, API dependencies, or shared responsibility model gaps. This qualitative technique captures tacit knowledge that quantitative methods or automated scans cannot, making it ideal for the early identification stage.

Exam trap

The trap here is confusing risk identification (discovering what could go wrong) with risk analysis (quantifying likelihood/impact) or risk evaluation (comparing against criteria), leading candidates to select ALE calculation or cost-benefit analysis as identification techniques.

80
MCQhard

A multinational corporation uses a common identity management system (IdM) across all subsidiaries. During a risk assessment, it is discovered that the IdM system has a critical vulnerability that could allow privilege escalation. The patch requires a 4-hour downtime. The risk manager must decide the best course of action considering the organization's risk appetite of 'low' and the fact that the IdM system is critical for business operations. Which of the following is the BEST approach?

A.Implement a compensating control and delay patching.
B.Schedule the patch during the next maintenance window.
C.Apply the patch immediately during business hours.
D.Accept the risk and postpone patching indefinitely.
AnswerB

This minimizes disruption while addressing the vulnerability in a timely manner.

Why this answer

Option B is correct because scheduling the patch during the next maintenance window aligns with the organization's low risk appetite by addressing the critical vulnerability in a controlled manner, while minimizing operational disruption. The IdM system is critical for business operations, so applying the patch immediately during business hours (Option C) would cause unacceptable downtime, and delaying indefinitely (Option D) would violate the low risk appetite. A 4-hour downtime is typical for identity management systems like Active Directory or LDAP, where patching requires a reboot or service restart, and a planned maintenance window allows for proper testing and rollback procedures.

Exam trap

The trap here is that candidates may choose Option C (immediate patching) thinking it is the most secure response, but they overlook the criticality of the IdM system and the unacceptable operational impact of a 4-hour downtime during business hours, which violates the organization's low risk appetite by prioritizing security over business continuity.

How to eliminate wrong answers

Option A is wrong because implementing a compensating control (e.g., additional monitoring or access restrictions) delays patching and does not eliminate the root cause of the privilege escalation vulnerability, which could still be exploited if the compensating control fails; this approach is typically used when patching is not immediately feasible, but here a maintenance window is available. Option C is wrong because applying the patch immediately during business hours would cause a 4-hour downtime for a critical IdM system, disrupting authentication for all subsidiaries and potentially violating business continuity requirements; this is not aligned with a low risk appetite that prioritizes operational stability. Option D is wrong because accepting the risk and postponing patching indefinitely directly contradicts the organization's low risk appetite, as it leaves a critical privilege escalation vulnerability unmitigated, increasing the likelihood of a security breach that could compromise the entire identity infrastructure.

81
MCQeasy

A company has implemented a new cloud-based customer relationship management (CRM) system. The IT risk manager is tasked with identifying risks related to this system. Which of the following is the MOST important risk identification technique to use initially?

A.Conducting a series of interviews with key users of the CRM
B.Performing a penetration test on the CRM environment
C.Facilitating a risk workshop with IT, business, and security stakeholders
D.Automated vulnerability scanning of the CRM system
AnswerC

A risk workshop enables comprehensive identification of risks across people, process, and technology.

Why this answer

Option B is correct because a risk workshop brings together stakeholders (IT, business, security) to identify risks collaboratively, which is effective for a new system. Option A (automated scanning) is useful for known vulnerabilities but not for business process risks. Option C (penetration testing) is for security validation, not initial identification.

Option D (interviewing key users) is less comprehensive than a workshop.

82
Multi-Selecthard

Which THREE of the following are key indicators that a risk identification process is effective? (Choose three.)

Select 3 answers
A.The process identifies all known vulnerabilities
B.The process covers all critical business processes
C.The process involves input from key stakeholders across the organization
D.The process is repeated at regular intervals or triggered by significant changes
E.The process is completed within budget
AnswersB, C, D

Ensures comprehensive risk identification.

Why this answer

Option B is correct because an effective risk identification process must cover all critical business processes to ensure that risks are identified across the entire value chain. Without this coverage, significant risks in core operations could be missed, leading to incomplete risk assessments and potential business disruptions. This aligns with the CRISC focus on aligning IT risk management with business objectives.

Exam trap

The trap here is that candidates confuse project management metrics (like budget or schedule) with risk management effectiveness indicators, leading them to select 'completed within budget' instead of recognizing that coverage, stakeholder input, and timeliness are the true measures of a robust risk identification process.

83
MCQmedium

A manufacturing company uses IoT sensors on the factory floor to monitor equipment performance. The sensors transmit data to a central server via Wi-Fi. During a risk identification workshop, the operations manager reveals that some sensors are operating on outdated firmware with known vulnerabilities. The IT director proposes replacing all sensors at a high cost. The risk team notes that a breach could cause production downtime but the sensors only collect non-sensitive operational data. The company has a low tolerance for downtime. What should the risk team identify as the most critical risk?

A.Operational disruption from a potential cyber attack exploiting sensor vulnerabilities.
B.Legal liability from non-compliance with safety standards.
C.Reputational damage from a data leak.
D.Financial loss from replacing sensors.
AnswerA

Downtime is a key impact for the company.

Why this answer

The most critical risk is operational disruption from a cyber attack exploiting the known vulnerabilities in the outdated IoT sensor firmware. Since the company has a low tolerance for downtime, any breach that causes production stoppage directly impacts business continuity, outweighing the non-sensitive nature of the data collected. The sensors' Wi-Fi connectivity provides an attack surface for lateral movement or denial-of-service, making exploitation a high-probability, high-impact event.

Exam trap

The trap here is that candidates focus on data sensitivity (reputation or legal liability) instead of operational impact, failing to recognize that for a manufacturing company with low downtime tolerance, production disruption is the most critical risk even if the data is non-sensitive.

How to eliminate wrong answers

Option B is wrong because the scenario does not mention any safety standards or regulatory compliance requirements; the sensors collect non-sensitive operational data, not safety-critical parameters. Option C is wrong because the sensors only collect non-sensitive operational data, so a data leak would not cause reputational damage; the risk is operational, not data confidentiality. Option D is wrong because the financial loss from replacing sensors is a cost of mitigation, not a risk; the risk is the potential operational disruption, and the high replacement cost is a factor in risk treatment decisions, not the risk itself.

84
MCQmedium

A mid-sized retail company operates 50 stores across three regions. Each store uses a point-of-sale (POS) system that transmits credit card transactions to a centralized payment processor. The company recently deployed a new SaaS-based inventory management application that connects to the POS system via API. The IT department has no formal process for tracking third-party connections. The risk manager suspects that unknown or unauthorized connections may exist. During a risk identification review, the risk manager discovers that the POS vendor's API documentation was shared with the inventory SaaS provider without a non-disclosure agreement (NDA). Additionally, the API keys for the POS system are stored in plain text configuration files on the inventory SaaS application server. The company's security policy requires encryption of all sensitive data in transit and at rest. Which of the following should the risk manager prioritize as the HIGHEST risk scenario to document in the risk register?

A.Exposure of POS system API keys stored in plain text on the inventory SaaS server
B.The POS system may not be PCI DSS compliant due to API sharing without NDA
C.No formal process for tracking third-party connections
D.The lack of an NDA with the inventory SaaS provider
AnswerA

Direct exposure of credentials that access payment systems, leading to high risk of data breach.

Why this answer

The plain-text storage of API keys on the inventory SaaS server represents an active, exploitable vulnerability that directly violates the company's encryption-at-rest policy. Unlike the other options, this is a confirmed technical control failure that could allow an attacker to impersonate the POS system, intercept or manipulate credit card transactions, and compromise the entire payment processing pipeline. The risk is immediate and high-impact because the keys are already exposed, not merely a procedural gap or missing legal agreement.

Exam trap

The trap here is that candidates often prioritize procedural or compliance gaps (like missing NDAs or lack of formal processes) over a concrete, exploitable technical vulnerability, failing to recognize that a realized risk with immediate impact must be documented before addressing root causes.

How to eliminate wrong answers

Option B is wrong because PCI DSS compliance is a regulatory requirement, not a risk scenario; the lack of an NDA does not automatically make the POS system non-compliant, and PCI DSS focuses on technical controls (e.g., encryption, access control) rather than contractual agreements. Option C is wrong because the absence of a formal process for tracking third-party connections is a governance weakness, not a specific, realized risk scenario with a clear threat and vulnerable asset; it is a root cause, not a risk event to document. Option D is wrong because the lack of an NDA is a legal and contractual gap, not a technical risk; while it may lead to intellectual property exposure, it does not directly expose sensitive data or systems to immediate compromise like the plain-text API keys do.

85
Multi-Selectmedium

An organization is migrating on-premises applications to a public cloud. Which THREE of the following should be considered as key risk identification activities?

Select 3 answers
A.Mapping network security group rules to existing firewall policies.
B.Performing a cost-benefit analysis of the migration.
C.Calculating the total cost of ownership.
D.Identifying data residency and compliance requirements.
E.Assessing shared responsibility model gaps.
AnswersA, D, E

Network mapping identifies potential access control risks.

Why this answer

Mapping network security group (NSG) rules to existing firewall policies is a key risk identification activity because it ensures that security controls are correctly translated to the cloud environment. Misconfigured NSG rules can lead to unintended network exposure, such as open ports or overly permissive access, which directly increases the attack surface. This mapping identifies gaps between on-premises security postures and cloud-native security constructs, a critical step in risk identification during migration.

Exam trap

The trap here is that candidates often confuse financial analysis activities (like cost-benefit analysis or TCO) with risk identification, but CRISC focuses on identifying threats, vulnerabilities, and control gaps, not cost optimization.

86
MCQeasy

A retail company is planning to launch a mobile payment app. The risk team is identifying potential risks related to payment card industry (PCI) compliance. The app will process credit card numbers. The development team has implemented tokenization to replace card numbers with tokens, but the token vault is located on-premises. The network architect proposes exposing the token vault to the internet for mobile app access. The compliance officer is concerned about PCI DSS requirements. The risk manager needs to identify the highest risk related to this setup. What is the primary risk?

A.Potential loss of tokens due to hardware failure.
B.Exposure of the token vault to the internet may violate PCI DSS requirements and lead to a data breach.
C.Increased latency due to tokenization.
D.High cost of tokenization infrastructure.
AnswerB

Direct exposure to internet is a major security and compliance risk.

Why this answer

The primary risk is that exposing the token vault to the internet directly violates PCI DSS Requirement 3.4, which mandates that stored cardholder data must be rendered unreadable. While tokenization replaces PANs with tokens, the vault itself contains the sensitive PAN-to-token mapping. Internet exposure of this vault creates an attack surface for unauthorized access, potentially leading to a massive data breach and non-compliance penalties.

Exam trap

The trap here is that candidates may focus on operational risks like latency or cost, but the CRISC exam emphasizes that PCI DSS compliance and data breach exposure are the highest risks when cardholder data or its mapping is exposed to the internet.

How to eliminate wrong answers

Option A is wrong because hardware failure is a general availability risk, not the highest risk here; PCI DSS focuses on data protection, not hardware redundancy. Option C is wrong because increased latency from tokenization is a performance concern, not a compliance or security risk that could lead to a breach. Option D is wrong because cost is a business risk, not the primary security or compliance risk; PCI DSS does not mandate cost efficiency.

87
MCQmedium

A retail company is identifying risks in its supply chain. Which approach is most effective for identifying previously unknown risks?

A.Scenario analysis with supply chain partners
B.Employee surveys
C.Financial audit reports
D.Review of standard risk checklists
AnswerA

Scenario analysis explores potential future events, uncovering previously unidentified risks.

Why this answer

Scenario analysis with supply chain partners is most effective for identifying previously unknown risks because it leverages collaborative brainstorming and 'what-if' thinking to uncover emergent threats that are not captured by historical data or static checklists. This approach is particularly valuable in supply chain contexts where interdependencies, third-party vulnerabilities, and novel disruptions (e.g., a new cyberattack vector targeting a logistics provider) can surface only through joint exploration of hypothetical events. It aligns with the CRISC emphasis on proactive risk identification beyond known patterns.

Exam trap

The trap here is that candidates often choose 'Review of standard risk checklists' because it seems efficient and structured, but CRISC tests the understanding that checklists are inherently limited to known risks and cannot identify novel or previously unencountered threats.

How to eliminate wrong answers

Option B is wrong because employee surveys are typically backward-looking and capture only known or perceived risks based on individual experience, making them ineffective for surfacing novel, systemic, or previously unencountered supply chain threats. Option C is wrong because financial audit reports focus on historical financial controls and compliance gaps, not on forward-looking identification of operational or strategic risks like supplier cyber incidents or geopolitical disruptions. Option D is wrong because standard risk checklists are static and based on known risk categories (e.g., vendor lock-in, natural disasters), so they inherently miss emerging or context-specific risks that have not been codified into the checklist.

88
MCQmedium

During a risk identification workshop, the business process owner states that a key system has no documented dependencies. What is the BEST next step for the risk practitioner?

A.Ask the system administrator to provide a list after the workshop
B.Postpone the workshop until dependencies are mapped
C.Assume the system has no dependencies
D.Document the missing dependency information as a risk in the risk register
AnswerD

The absence of dependency data itself is a risk to accurate risk identification.

Why this answer

Option D is correct because undocumented dependencies represent an unknown risk that must be captured in the risk register to ensure visibility and subsequent analysis. By documenting the missing dependency information as a risk, the risk practitioner formally acknowledges the gap, enabling further investigation into potential single points of failure, cascading failures, or unmonitored interconnections that could impact system availability or integrity.

Exam trap

The trap here is that candidates may think the immediate priority is to gather the missing data (Option A) or halt the workshop (Option B), rather than recognizing that the risk practitioner's first duty is to formally record the identified gap as a risk to ensure it is tracked and managed.

How to eliminate wrong answers

Option A is wrong because asking the system administrator to provide a list after the workshop delays the identification process and does not immediately address the risk of unknown dependencies; the risk practitioner should capture the gap in the risk register first to ensure it is not forgotten. Option B is wrong because postponing the workshop halts the entire risk identification effort unnecessarily; the workshop can continue with other items while the dependency gap is noted and addressed later. Option C is wrong because assuming the system has no dependencies is a dangerous assumption that ignores the possibility of hidden integration points, shared infrastructure, or upstream/downstream services that could cause significant disruption if unaccounted for.

89
MCQeasy

Which of the following is the PRIMARY purpose of a risk register in the risk identification phase?

A.Assign risk owners
B.Document identified risks and their characteristics
C.Calculate risk scores
D.Track remediation progress
AnswerB

The primary purpose is to record risks for further analysis.

Why this answer

The primary purpose of a risk register during the risk identification phase is to systematically document each identified risk along with its key characteristics, such as the risk description, cause, impact, and potential triggers. This foundational record ensures that all risks are captured before any subsequent analysis or response planning occurs, aligning with the CRISC domain of IT Risk Identification.

Exam trap

The trap here is that candidates confuse the risk register's role in identification with later-phase activities like ownership assignment or scoring, leading them to select options that describe downstream processes rather than the immediate documentation purpose.

How to eliminate wrong answers

Option A is wrong because assigning risk owners is a governance activity that typically occurs after risks have been documented and analyzed, not during the initial identification phase. Option C is wrong because calculating risk scores is part of the risk analysis phase, which follows identification and relies on the documented characteristics in the register. Option D is wrong because tracking remediation progress belongs to the risk response and monitoring phases, long after the register has been populated with identified risks.

90
MCQhard

During a risk identification workshop, the team identifies a potential data leakage from a legacy system. What is the FIRST step the risk owner should take?

A.Implement encryption immediately
B.Document the risk and its source
C.Assign a risk score
D.Report to senior management
AnswerB

Documentation ensures the risk is properly captured for subsequent analysis.

Why this answer

The first step for the risk owner is to formally document the risk and its source. This ensures that the identified data leakage from the legacy system is captured in the risk register, establishing a baseline for analysis and treatment. Without documentation, subsequent steps like risk scoring, control implementation, or escalation cannot be properly justified or tracked.

Exam trap

The trap here is that candidates often jump to immediate remediation (like encryption) or escalation, forgetting that formal documentation is the mandatory first step to ensure traceability and compliance with risk management processes.

How to eliminate wrong answers

Option A is wrong because implementing encryption immediately is a premature control decision; the risk must first be documented and analyzed to determine if encryption is appropriate, feasible, and cost-effective for the legacy system. Option C is wrong because assigning a risk score occurs after the risk has been documented and its impact and likelihood have been assessed, not as the first step. Option D is wrong because reporting to senior management is an escalation step that typically follows risk analysis and prioritization, not the initial action upon identification.

91
MCQmedium

An IT risk manager is reviewing the results of a recent risk assessment. The organization has a risk appetite that allows for low residual risk. One identified risk has an inherent risk score of 15 (on a scale of 1-25) and currently has no controls. Which of the following is the BEST recommendation for this risk?

A.Accept the risk because the score is moderate.
B.Implement controls to reduce the residual risk to an acceptable level.
C.Transfer the risk via cyber insurance.
D.Avoid the risk by discontinuing the business process.
AnswerB

Controls are necessary to lower the residual risk to within appetite.

Why this answer

The inherent risk score of 15 (out of 25) is moderate, but the organization's risk appetite allows only low residual risk. Since there are currently no controls, the residual risk equals the inherent risk of 15, which exceeds the acceptable threshold. Therefore, implementing controls is the best recommendation to reduce the residual risk to a level that aligns with the risk appetite.

Exam trap

The trap here is that candidates see a moderate score (15 out of 25) and assume acceptance is appropriate, but they overlook the specific risk appetite constraint that requires low residual risk, making acceptance invalid without controls.

How to eliminate wrong answers

Option A is wrong because accepting the risk when the residual risk (currently 15) exceeds the low-risk appetite threshold violates the organization's risk tolerance policy; acceptance is only appropriate when residual risk is within appetite. Option C is wrong because transferring risk via cyber insurance does not reduce the inherent or residual risk score—it only provides financial compensation after a loss, and the organization's risk appetite requires low residual risk, not just financial coverage. Option D is wrong because avoiding the risk by discontinuing the business process is an extreme measure typically reserved for risks that cannot be mitigated to an acceptable level or where the cost of mitigation exceeds the benefit; here, controls can likely reduce the residual risk to an acceptable level without eliminating the business process.

92
MCQeasy

A risk practitioner is reviewing system logs and notices multiple failed login attempts from a foreign IP address. This observation is an example of which type of risk identification activity?

A.Control self-assessment
B.Threat intelligence gathering
C.Incident and event monitoring
D.Vulnerability scanning
AnswerC

Log review is a monitoring activity that identifies potential risks.

Why this answer

The observation of multiple failed login attempts from a foreign IP address is a direct result of reviewing system logs, which is a core component of incident and event monitoring. This activity involves the continuous surveillance of security events to detect anomalies, such as brute-force attacks, and is a reactive risk identification technique that identifies risks based on actual occurrences.

Exam trap

The trap here is that candidates confuse 'threat intelligence gathering' (which uses external feeds) with the internal log analysis of actual events, but the question specifically describes reviewing system logs, which is a direct example of incident and event monitoring.

How to eliminate wrong answers

Option A is wrong because control self-assessment is a proactive, internal review process where control owners evaluate the design and effectiveness of controls, not a log review of real-time events. Option B is wrong because threat intelligence gathering involves collecting and analyzing external data about emerging threats (e.g., from ISACs or threat feeds), not reviewing internal system logs for specific failed login attempts. Option D is wrong because vulnerability scanning is a scheduled, automated process that identifies known weaknesses in systems (e.g., missing patches or misconfigurations), not the detection of ongoing attack patterns like repeated failed logins.

93
MCQmedium

Refer to the exhibit. What is the MOST immediate risk identification action?

A.Document the vulnerability in the risk register
B.Update asset inventory
C.Check if the patch has been deployed
D.Validate the vulnerability manually
AnswerC

Determining patch status is critical to understand the actual risk.

Why this answer

The exhibit (not shown) likely presents a vulnerability scan result or a security advisory. The most immediate risk identification action is to verify whether the identified vulnerability has already been mitigated by deploying the vendor-supplied patch. This confirms the current exposure status before any further risk assessment or documentation steps are taken.

Exam trap

The trap here is that candidates often jump to documenting or validating the vulnerability without first checking the most obvious and efficient control—patch status—which is the immediate action to determine actual exposure.

How to eliminate wrong answers

Option A is wrong because documenting the vulnerability in the risk register is a subsequent step, performed after confirming the vulnerability is unpatched and poses actual risk. Option B is wrong because updating the asset inventory is a broader asset management task, not an immediate action to identify risk from a specific vulnerability. Option D is wrong because manual validation of the vulnerability is a secondary verification step that should occur only after checking patch deployment, as the patch status directly indicates whether the vulnerability is still present.

94
MCQmedium

A university's IT department is implementing a single sign-on (SSO) solution for students and faculty. The solution will integrate with existing Active Directory and a cloud-based learning management system (LMS). During risk identification, the team learns that the SSO vendor had a minor security incident last year. The university's security policy requires multi-factor authentication (MFA) for all administrative access, but the SSO solution does not support MFA for student accounts. The project manager insists that MFA for students is not necessary because they only access academic records. The risk team must identify the most significant risk that could affect the university's reputation. Which risk should be documented?

A.SSO vendor's historical security incident could impact service availability.
B.Students may share passwords, leading to account compromise.
C.Lack of MFA for administrative accounts could allow unauthorized changes.
D.Without MFA, student accounts could be compromised to access sensitive academic data.
AnswerD

Compromised student accounts can lead to data breach and reputational damage.

Why this answer

The most significant reputational risk is that without MFA, student accounts are vulnerable to credential theft or brute-force attacks. If an attacker compromises a student account, they could access sensitive academic records (e.g., grades, personal data) protected under FERPA, leading to data breaches, legal penalties, and loss of public trust. The SSO vendor's past incident is less relevant because it was minor and does not directly expose the university's data.

Exam trap

The trap here is that candidates focus on the vendor's past incident (Option A) as a red flag, but the real risk is the missing MFA control for student accounts, which directly enables unauthorized access to sensitive data and reputational damage.

How to eliminate wrong answers

Option A is wrong because a minor historical security incident at the vendor does not directly threaten the university's reputation; service availability is an operational risk, not a reputational one tied to data exposure. Option B is wrong because password sharing is a user behavior issue, not a technical control gap; while it increases risk, the lack of MFA is the primary vulnerability that enables account compromise at scale. Option C is wrong because the scenario states MFA is required for all administrative access, and the SSO solution's lack of MFA applies only to student accounts, not administrative accounts.

95
MCQhard

During a merger and acquisition (M&A) due diligence, the IT risk manager needs to identify risks in the target company's IT environment. Which approach is most effective for comprehensive risk identification?

A.Send a detailed questionnaire to the target's IT department
B.Review the target's public financial reports
C.Conduct a war gaming exercise
D.Conduct an on-site assessment of the target's IT infrastructure
AnswerD

On-site assessment enables direct observation, interviews, and hands-on review, yielding the most reliable risk identification.

Why this answer

An on-site assessment (Option D) allows the IT risk manager to directly observe the target's IT infrastructure, including physical security, network configurations, and operational practices. This hands-on approach uncovers risks that may be hidden or misrepresented in self-reported questionnaires, such as outdated firmware, unpatched systems, or insecure network segmentation. It provides the most comprehensive and accurate risk identification for M&A due diligence.

Exam trap

The trap here is that candidates may overestimate the reliability of self-reported data from questionnaires (Option A) because it seems systematic and efficient, but the CRISC exam emphasizes that direct verification through on-site assessment is essential for comprehensive risk identification in M&A due diligence.

How to eliminate wrong answers

Option A is wrong because a detailed questionnaire relies on self-reporting by the target's IT department, which may omit or downplay critical risks due to lack of awareness or intentional concealment, and cannot verify the actual state of systems like patch levels or firewall rules. Option B is wrong because public financial reports focus on monetary performance and regulatory filings, not on technical IT risks such as insecure configurations, unpatched vulnerabilities, or inadequate access controls. Option C is wrong because war gaming exercises are designed to test strategic responses to hypothetical scenarios, not to identify existing technical risks in a target's IT environment, and they lack the granularity needed for infrastructure-level assessment.

96
Matchingmedium

Match each CRISC domain to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Establish and maintain a risk management framework

Identify and analyze IT risks

Select and implement risk mitigation controls

Continuously monitor and report risk status

Why these pairings

The CRISC domains cover the full lifecycle of IT risk management.

97
MCQhard

During a risk assessment, an organization identifies that its legacy ERP system has a high likelihood of failure during peak transaction periods. The system supports critical financial operations. The risk owner proposes to upgrade the system, but the project would take 18 months and require significant capital investment. The CEO questions whether the risk can be reduced to an acceptable level more quickly. Which of the following is the MOST appropriate immediate risk response?

A.Implement enhanced monitoring and manual fallback procedures.
B.Increase cyber insurance coverage.
C.Accept the risk and budget for potential losses.
D.Outsource the ERP hosting to a cloud provider.
AnswerA

These measures reduce the impact of failures and can be deployed quickly.

Why this answer

Enhanced monitoring and manual fallback procedures directly address the immediate risk of system failure during peak periods by providing early detection and a contingency plan to maintain critical financial operations. This response can be implemented quickly without the 18-month timeline and capital investment required for a full system upgrade, aligning with the CEO's request for a faster risk reduction.

Exam trap

The trap here is that candidates confuse a long-term strategic solution (system upgrade or cloud migration) with an immediate tactical response, failing to recognize that the question explicitly asks for the 'most appropriate immediate risk response' that can be deployed quickly.

How to eliminate wrong answers

Option B is wrong because cyber insurance coverage does not reduce the likelihood or impact of the ERP failure; it only provides financial compensation after a loss, which is not an immediate risk response. Option C is wrong because accepting the risk and budgeting for potential losses is a passive approach that does nothing to mitigate the high likelihood of failure during peak transactions, leaving critical financial operations exposed. Option D is wrong because outsourcing ERP hosting to a cloud provider involves significant migration effort, potential data residency issues, and contractual timelines that cannot be implemented immediately, and it does not address the legacy system's inherent instability during peak loads.

98
MCQeasy

After a data breach has been contained, what is the most important action for identifying underlying IT risks?

A.Update the risk register
B.Perform a root cause analysis
C.Implement new security controls
D.Review cyber insurance policy
AnswerB

Root cause analysis identifies the specific risks and weaknesses that led to the breach.

Why this answer

Root cause analysis systematically identifies the weaknesses that allowed the breach, directly contributing to risk identification. Updating the risk register, implementing controls, and reviewing insurance are subsequent steps.

99
MCQmedium

An internal audit report identifies that the IT department did not patch a critical vulnerability in a database server for 90 days. The risk manager wants to identify the root cause risk. Which approach should be used?

A.Interview the database system owner
B.Conduct a new vulnerability scan
C.Update the risk register with the finding
D.Perform a root cause analysis on the patching process
AnswerD

Root cause analysis identifies process gaps leading to the delay.

Why this answer

Option D is correct because the risk manager needs to identify the root cause risk, which requires understanding why the patching process failed to apply a critical security update within the required timeframe. A root cause analysis (RCA) on the patching process systematically examines procedural breakdowns, such as missed scanning cycles, lack of change management approval, or insufficient prioritization of database-specific patches (e.g., Oracle Critical Patch Updates). This approach directly addresses the underlying process deficiency rather than merely documenting or re-verifying the vulnerability.

Exam trap

The trap here is that candidates confuse operational remediation (e.g., rescanning or interviewing) with risk identification analysis, failing to recognize that the question specifically asks for identifying the root cause risk, not just confirming or logging the finding.

How to eliminate wrong answers

Option A is wrong because interviewing the database system owner may provide anecdotal context but does not systematically uncover the procedural or systemic failures in the patching lifecycle, such as scheduling gaps or approval bottlenecks. Option B is wrong because conducting a new vulnerability scan would only confirm the current state of the vulnerability (e.g., whether it is still present or remediated), not reveal why the patch was delayed for 90 days. Option C is wrong because updating the risk register with the finding is a documentation step that records the risk but does not analyze the causal factors behind the patching failure.

100
Multi-Selectmedium

Which TWO of the following are primary sources of IT risk identification? (Select exactly TWO.)

Select 2 answers
A.Incident reports
B.Threat intelligence feeds
C.Asset inventory
D.Risk appetite
E.Policy documents
AnswersA, B

Incident reports document past events and vulnerabilities, revealing risks that materialized.

Why this answer

Incident reports are a primary source of IT risk identification because they provide direct evidence of past security events, such as malware infections, unauthorized access attempts, or system failures. By analyzing incident reports, risk practitioners can identify patterns, root causes, and control weaknesses that represent current or emerging risks. This historical data is essential for updating the risk register and prioritizing remediation efforts based on actual impact.

Exam trap

The trap here is that candidates often mistake asset inventory (a passive inventory list) as a primary risk identification source, when in fact it is a prerequisite for risk assessment but does not itself identify risks; the exam expects you to distinguish between inputs for risk assessment and sources that actively reveal risk events.

101
MCQmedium

During a risk assessment for a new financial application, the risk manager identifies that the application processes sensitive customer data and is accessible from the internet. Which of the following is the MOST appropriate risk scenario to document?

A.The application has several unpatched vulnerabilities that increase the likelihood of a security incident.
B.The application will implement multi-factor authentication to prevent unauthorized access.
C.An attacker could exploit weak authentication mechanisms to gain unauthorized access and exfiltrate customer data, resulting in regulatory fines and reputational damage.
D.The application must comply with PCI DSS requirements for data protection.
AnswerC

This is a well-defined risk scenario with threat, vulnerability, and impact.

Why this answer

Option C is the most appropriate risk scenario because it follows the standard risk scenario structure: threat (attacker), vulnerability (weak authentication), impact (unauthorized access, data exfiltration, regulatory fines, reputational damage). It directly ties the technical weakness to a business consequence, which is essential for communicating risk to stakeholders. The scenario is specific to the application's internet-facing nature and sensitive data processing, making it actionable for risk treatment.

Exam trap

The trap here is that candidates mistake a vulnerability or a control for a complete risk scenario, failing to include the threat actor and business impact that are required for proper risk identification.

How to eliminate wrong answers

Option A is wrong because it describes a vulnerability (unpatched flaws) without specifying a threat actor, attack vector, or business impact; it is a risk factor, not a complete risk scenario. Option B is wrong because it describes a control (multi-factor authentication) that would mitigate risk, not a risk scenario itself; it confuses a solution with the problem statement. Option D is wrong because it states a compliance requirement (PCI DSS) without linking it to a specific threat, vulnerability, or adverse outcome; it is a control objective, not a risk scenario.

102
MCQmedium

During a cloud migration project, the IT risk manager is identifying risks associated with data residency. Which of the following is the MOST effective method to identify applicable regulatory requirements?

A.Interviewing cloud service providers about compliance
B.Implementing a data classification policy that maps to regulatory frameworks
C.Conducting a vulnerability scan of the cloud environment
D.Reviewing past audit findings
AnswerB

This proactively identifies data types and associated legal requirements.

Why this answer

Implementing a data classification policy that maps to regulatory frameworks is the most effective method because it systematically identifies which data types are subject to specific regulations (e.g., GDPR, HIPAA, LGPD) based on content and jurisdiction. This proactive approach ensures that all applicable legal and contractual requirements are considered before engaging with cloud providers, rather than relying on post-hoc interviews or scans.

Exam trap

The trap here is that candidates confuse operational security controls (vulnerability scanning) or reactive measures (vendor interviews, past audits) with the foundational governance step of classifying data to identify regulatory obligations, which is a core IT risk identification activity.

How to eliminate wrong answers

Option A is wrong because interviewing cloud service providers about compliance only captures the provider's self-reported stance, which may not cover all jurisdictional nuances or the organization's specific data types; it is a reactive, vendor-dependent method. Option C is wrong because conducting a vulnerability scan of the cloud environment identifies technical security weaknesses (e.g., open ports, misconfigurations) but does not reveal which regulatory frameworks apply to the data stored or processed. Option D is wrong because reviewing past audit findings only highlights previously identified issues and may miss new or evolving regulatory requirements relevant to the current migration scope.

103
MCQhard

A multinational organization uses a third-party vendor for cloud-based identity management. The vendor recently suffered a data breach that exposed user credentials. The risk manager is now re-evaluating the associated risk. Which of the following steps should the risk manager perform FIRST to identify potential new risks?

A.Review the contract to determine if the vendor is liable for the breach.
B.Update the risk register to include the new threat scenario of credential compromise via the vendor.
C.Immediately revoke all vendor access to internal systems.
D.Conduct a penetration test of the organization's own systems.
AnswerB

Updating the risk register is the first step in risk identification after a new event.

Why this answer

Option D is correct because updating the risk register with the new incident information is the first step to ensure all risks are captured. Option A (contract review) is important but secondary. Option B (penetration test) may be reactive but not immediate first step.

Option C (access reviews) is a control, not risk identification.

104
MCQhard

A security operations center (SOC) analyst notices multiple failed login attempts from an internal IP address followed by a successful login from an unusual geographic location. Which risk identification technique should the risk manager use to assess this as a potential risk?

A.Run a phishing simulation for the user
B.Review the logs manually for other indicators
C.Conduct a vulnerability scan on the workstation
D.Perform user and entity behavior analytics (UEBA) on the user account
AnswerD

UEBA detects deviations from normal behavior, signaling potential compromise.

Why this answer

Option A is correct because analyzing user behavior analytics (UBA) can identify anomalous patterns indicative of account compromise, turning an event into a risk. Option B is incorrect because a vulnerability scan does not detect behavioral anomalies. Option C is incorrect because a phishing simulation tests user awareness, not specific events.

Option D is incorrect because log review alone may not contextualize the event as a risk without behavioral analysis.

105
MCQeasy

A smart manufacturing company has deployed hundreds of IoT sensors and actuators across its production line. These devices are connected directly to the corporate network without any segmentation and communicate using unencrypted protocols. A third-party vendor manages all IoT devices and has administrative access from their own network. Recently, the IT team detected unusual outbound traffic from the IoT segment to unknown IP addresses on the internet. The risk manager is leading a risk identification workshop. Based on this scenario, what is the most critical risk to the organization that should be identified and documented?

A.Unauthorized remote access to the corporate network via the IoT devices
B.Compliance violation with industry regulations
C.Loss of data integrity due to tampering with sensor measurements
D.Physical damage to equipment due to unsafe actuator commands
AnswerA

Unsegmented IoT devices with third-party admin access and detected suspicious traffic represent a clear path for attackers to infiltrate the corporate network.

Why this answer

The most critical risk is unauthorized remote access to the corporate network via the IoT devices. The IoT devices are directly connected to the corporate network without segmentation and communicate using unencrypted protocols, while a third-party vendor has administrative access from their own network. The unusual outbound traffic to unknown IP addresses strongly suggests that an attacker has compromised the vendor's network or the devices themselves, using the unencrypted protocols (e.g., MQTT without TLS, Modbus/TCP) to pivot into the corporate network, bypassing perimeter defenses.

Exam trap

ISACA often tests the concept that the most critical risk is the one that is actively occurring and has the highest potential for immediate impact, not the one that is merely possible or a downstream consequence; candidates often pick a compliance or data integrity answer because they focus on data protection rather than network access control.

How to eliminate wrong answers

Option B is wrong because while compliance violations (e.g., GDPR, NIST CSF) are possible, the immediate and most critical risk is the active, confirmed unauthorized access via the observed outbound traffic, not a hypothetical regulatory issue. Option C is wrong because loss of data integrity from tampered sensor measurements is a secondary risk; the primary threat is the attacker already having network access, which enables data manipulation but is not the most critical risk identified from the traffic anomaly. Option D is wrong because physical damage from unsafe actuator commands is a potential consequence, but the direct evidence of unusual outbound traffic indicates an active network breach, making unauthorized access the most critical risk to document first.

106
MCQhard

A company is conducting a Risk Identification for a new payment processing system. The team discovers that the system does not have encryption at rest. This is an example of:

A.Control
B.Threat
C.Vulnerability
D.Risk
AnswerC

Lack of encryption at rest is a weakness or gap in controls.

Why this answer

The absence of encryption at rest in a payment processing system is a weakness or flaw that can be exploited, making it a vulnerability. In risk identification, a vulnerability is a condition or weakness in an asset (e.g., database, storage volume) that, if exploited by a threat, could lead to a risk event. Here, the missing encryption at rest (e.g., AES-256 for stored cardholder data) is a specific security gap, not the threat itself or the resulting risk.

Exam trap

The trap here is confusing a vulnerability (the missing encryption) with the risk (the potential for data exposure) or the threat (the attacker who might exploit it), leading candidates to pick 'Risk' or 'Threat' instead of the correct 'Vulnerability'.

How to eliminate wrong answers

Option A is wrong because a control is a safeguard or countermeasure (e.g., enabling encryption at rest via AWS KMS or BitLocker), not the absence of one. Option B is wrong because a threat is a potential cause of an unwanted incident (e.g., an attacker gaining physical access to the storage server), not the missing encryption itself. Option D is wrong because risk is the potential impact of a threat exploiting a vulnerability (e.g., financial loss from data breach), not the vulnerability itself.

107
MCQmedium

A company plans to deploy an AI-based customer service chatbot that processes personal data. What risk should be identified as the highest priority?

A.Data privacy risk
B.Vendor lock-in risk
C.Model accuracy risk
D.Regulatory compliance risk
AnswerA

Processing personal data introduces significant privacy risks under regulations like GDPR, requiring immediate identification.

Why this answer

Processing personal data through an AI chatbot directly introduces data privacy risk as the highest priority because the system will collect, store, and potentially expose sensitive information (e.g., names, contact details, payment data). Under regulations like GDPR or CCPA, any breach or unauthorized access to this data can result in severe fines and reputational damage. While other risks exist, privacy risk is immediate and fundamental to the chatbot's operation.

Exam trap

ISACA often tests the distinction between a root cause risk (data privacy) and its downstream consequence (regulatory compliance), leading candidates to mistakenly select regulatory compliance risk as the highest priority.

How to eliminate wrong answers

Option B is wrong because vendor lock-in risk is a strategic or operational concern, not an immediate high-priority risk when personal data is involved; it does not directly threaten data confidentiality or integrity. Option C is wrong because model accuracy risk affects chatbot performance and user experience, but it does not inherently expose personal data or violate privacy regulations. Option D is wrong because regulatory compliance risk is a consequence of failing to manage privacy risk, not the root risk itself; the primary risk is the unauthorized processing or exposure of personal data.

108
Drag & Dropmedium

Sequence the steps for developing a disaster recovery plan (DRP).

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

DRP development begins with BIA, prioritization, strategy selection, documentation, and testing.

109
MCQhard

A risk manager is reviewing the risk register and notices that several risks have been identified as 'high' but no risk owner has been assigned. Which of the following is the MOST appropriate action to ensure proper risk identification going forward?

A.Provide training to risk owners on their responsibilities.
B.Assign risk owners after the risk assessment is completed.
C.Conduct an audit of the risk identification process.
D.Update the risk identification policy to mandate that risk owners be identified during the initial risk identification phase.
AnswerD

Policy ensures risk ownership is established at identification time.

Why this answer

Option D is correct because the risk identification phase should include assigning risk owners to ensure accountability from the outset. Without a risk owner, identified risks cannot be properly managed, monitored, or escalated. Mandating owner assignment during initial identification embeds ownership into the process, preventing gaps in risk governance.

Exam trap

The trap here is that candidates often choose an audit (Option C) as a corrective action, but the question asks for the MOST appropriate action to ensure proper risk identification going forward, which requires a preventive policy change, not a retrospective review.

How to eliminate wrong answers

Option A is wrong because providing training to risk owners assumes they have already been assigned, but the core issue is that no owners exist for high risks; training does not solve the missing assignment. Option B is wrong because assigning risk owners after the risk assessment is completed delays accountability and violates the principle that owners should be identified during risk identification to enable timely response planning. Option C is wrong because conducting an audit of the risk identification process is a detective control that identifies past failures but does not proactively ensure proper identification going forward; it does not mandate owner assignment.

110
Multi-Selecteasy

Which TWO of the following are examples of external risk identification sources? (Choose two.)

Select 2 answers
A.Incident response reports from the security operations center
B.Regulatory bulletins from government agencies
C.Internal vulnerability scan reports
D.Threat intelligence feeds from industry sources
E.Industry benchmarking reports
AnswersB, D

External compliance requirements.

Why this answer

Regulatory bulletins from government agencies (Option B) are external risk identification sources because they originate outside the organization and provide authoritative information on compliance requirements, legal changes, and mandated controls. Threat intelligence feeds from industry sources (Option D) are also external, as they aggregate data on emerging threats, vulnerabilities, and attack patterns from third-party vendors or open-source communities, helping organizations proactively adjust defenses.

Exam trap

The trap here is that candidates often confuse internal operational reports (like incident response or vulnerability scans) with external sources, failing to recognize that 'external' means information originating outside the organization's own systems and processes.

111
MCQhard

A multinational corporation is identifying risks associated with cross-border data transfers. Which regulation's risk identification requirements are most relevant?

A.PCI DSS
B.GDPR
C.HIPAA
D.SOX
AnswerB

GDPR requires risk assessments for international data transfers.

Why this answer

The General Data Protection Regulation (GDPR) is the most relevant regulation for risk identification in cross-border data transfers because it explicitly governs the transfer of personal data from the European Economic Area (EEA) to third countries. GDPR requires organizations to identify and assess risks related to adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and potential data localization conflicts. This regulation directly addresses the legal and technical risks of moving data across borders, such as exposure to differing privacy laws and surveillance regimes.

Exam trap

The trap here is that candidates often confuse PCI DSS or HIPAA as relevant because they involve sensitive data, but they lack the specific cross-border transfer risk identification requirements that GDPR mandates, leading to an incorrect choice based on data sensitivity rather than regulatory scope.

How to eliminate wrong answers

Option A is wrong because PCI DSS focuses on protecting cardholder data within payment card transactions and does not specifically address cross-border data transfer risks or require adequacy assessments for international data flows. Option C is wrong because HIPAA governs protected health information (PHI) within the United States and does not impose cross-border transfer risk identification requirements for data leaving the U.S. jurisdiction. Option D is wrong because SOX mandates internal controls over financial reporting and does not contain provisions for cross-border data transfer risk identification or data protection adequacy mechanisms.

112
MCQmedium

Refer to the exhibit. What risk is most directly indicated by this log entry?

A.External attack
B.Misconfigured firewall
C.Unauthorized access attempt
D.Insider threat
AnswerC

An internal device attempting RDP to another internal device without apparent authorization indicates a potential unauthorized access attempt.

Why this answer

The log entry shows a repeated 'Failed password' event for user 'root' from IP 10.10.10.10 via SSH. This directly indicates an unauthorized access attempt, as someone is trying to authenticate with incorrect credentials. The source IP is external to the trusted network, and the failure count suggests a brute-force or password guessing attack.

Exam trap

The trap here is that candidates see an external IP and immediately think 'external attack' (Option A), but the question asks for the risk 'most directly indicated' — which is the specific unauthorized access attempt, not the general category of attack.

How to eliminate wrong answers

Option A is wrong because while the source IP is external, the log does not show any exploit, malware, or successful breach — it only shows failed authentication attempts, so 'external attack' is too broad and not directly indicated. Option B is wrong because a misconfigured firewall would typically permit or deny traffic incorrectly (e.g., allowing inbound SSH when it should be blocked), but the log shows the firewall is correctly allowing SSH and the authentication is failing, not a firewall rule issue. Option D is wrong because an insider threat would originate from an internal IP or authenticated user abusing privileges; the source IP 10.10.10.10 is external and the user 'root' is not yet authenticated, so this is not an insider action.

113
MCQmedium

During a merger and acquisition (M&A) due diligence, the acquiring company's IT risk manager is tasked with identifying risks in the target's IT environment. Which of the following would be the MOST effective technique to uncover hidden risks?

A.Analyze the target's existing risk register
B.Perform an on-site technical assessment and interview key IT staff
C.Review the target's IT policies and procedures
D.Conduct a network vulnerability scan
AnswerB

Direct assessment uncovers undocumented controls and cultural issues.

Why this answer

Option D is correct because an on-site technical assessment and interviews allow the risk manager to observe actual controls, uncover undocumented systems, and assess security culture. Option A is incorrect because reviewing only high-level policies may miss operational gaps. Option B is incorrect because a vulnerability scan does not cover process or governance risks.

Option C is incorrect because the target's own risk register may be incomplete or biased.

114
Multi-Selecthard

Which THREE of the following are commonly used techniques for identifying IT risks in a large enterprise?

Select 3 answers
A.Cost-benefit analysis
B.Brainstorming sessions
C.Delphi technique
D.Risk questionnaires
E.SWOT analysis
AnswersB, D, E

Brainstorming is a common risk identification technique.

Why this answer

Options A, C, and D are correct. SWOT analysis (A) can identify risk-related strengths, weaknesses, opportunities, threats. Brainstorming (C) is a collaborative technique.

Risk questionnaires (D) gather input from many stakeholders. Option B (Delphi technique) is used for consensus, not initial identification. Option E (cost-benefit analysis) is for evaluating controls, not identifying risks.

115
MCQmedium

A company recently experienced a data breach due to an unpatched vulnerability in a public-facing web application. During the post-incident review, the IT risk manager notes that the vulnerability was identified by the vulnerability scanner six months ago but was not remediated because the patch required a critical database server restart. Which of the following is the BEST risk treatment decision to prevent a recurrence?

A.Ignore the vulnerability until the next maintenance window.
B.Escalate the risk to senior management for acceptance.
C.Implement a compensating control such as a web application firewall.
D.Accept the risk based on the low likelihood of exploitation.
AnswerC

A WAF can block exploitation attempts until a proper patch can be applied.

Why this answer

Option C is correct because implementing a web application firewall (WAF) as a compensating control provides virtual patching, blocking exploitation attempts at the application layer (e.g., SQL injection, path traversal) without requiring a database server restart. This directly addresses the root cause—the unpatched vulnerability—while avoiding the operational disruption that prevented the patch from being applied. A WAF can inspect HTTP/HTTPS traffic and filter malicious payloads based on signatures or behavioral rules, effectively reducing risk to an acceptable level until the next maintenance window.

Exam trap

The trap here is that candidates may confuse risk acceptance (Option D) with a valid treatment when the vulnerability has already been exploited, failing to recognize that a compensating control like a WAF is the only option that actively reduces risk without causing the operational disruption that prevented patching.

How to eliminate wrong answers

Option A is wrong because ignoring the vulnerability until the next maintenance window leaves the public-facing web application exposed to active exploitation, which contradicts the goal of preventing recurrence and violates the principle of timely risk treatment. Option B is wrong because escalating the risk to senior management for acceptance is a risk acceptance decision, not a risk treatment decision that actively reduces the likelihood or impact of exploitation; it merely formalizes inaction without adding any security controls. Option D is wrong because accepting the risk based on low likelihood is invalidated by the fact that the vulnerability was already exploited once, proving that the likelihood is not low and that the threat landscape is active.

116
Multi-Selecteasy

Which TWO of the following are primary sources of risk identification for IT projects?

Select 2 answers
A.Social media monitoring
B.Vendor marketing materials
C.Project documentation (e.g., scope, schedule, budget)
D.Stakeholder interviews
E.Industry benchmark reports
AnswersC, D

Project docs contain key risk information.

Why this answer

Project documentation such as scope, schedule, and budget is a primary source of risk identification because it defines the project's boundaries, constraints, and deliverables. Analyzing these documents helps identify risks related to scope creep, unrealistic timelines, or insufficient funding that could impact IT project success.

Exam trap

The trap here is that candidates often mistake external or secondary sources (like industry reports or social media) as primary risk identification sources, when in fact only project-specific documentation and direct stakeholder engagement are considered primary for IT projects.

117
Multi-Selecthard

Which THREE of the following are valid risk identification methods according to ISACA's Risk IT Framework? (Select exactly 3.)

Select 3 answers
A.Segregation of duties
B.Scenario analysis
C.Risk acceptance
D.SWOT analysis
E.Brainstorming
AnswersB, D, E

Scenario analysis explores possible future events to identify risks.

Why this answer

Scenario analysis is a valid risk identification method under ISACA's Risk IT Framework because it involves developing hypothetical scenarios to identify potential threats and vulnerabilities that could lead to risk events. This technique helps organizations anticipate and prepare for plausible adverse situations by analyzing their impact on IT assets and business objectives.

Exam trap

The trap here is that candidates often confuse risk identification techniques with risk response or control activities, mistakenly selecting segregation of duties or risk acceptance as valid identification methods when they are actually part of risk mitigation and risk treatment processes.

118
MCQmedium

A large retailer is implementing a new point-of-sale (POS) system. The project manager wants to identify risks related to payment card data security. Which risk identification technique would be MOST effective for this purpose?

A.Risk register review from past projects
B.Brainstorming session with the project team
C.Data Flow Diagram (DFD) review
D.SWOT analysis
AnswerC

A DFD shows how card data is processed, stored, and transmitted, highlighting risk points.

Why this answer

A Data Flow Diagram (DFD) review is most effective because it visually maps how payment card data moves through the POS system—from card swipe to authorization to storage—identifying exactly where data is at rest, in transit, or processed. This allows the team to pinpoint specific PCI DSS control gaps (e.g., unencrypted transmission, unnecessary retention) that other techniques might miss.

Exam trap

The trap here is that candidates often choose 'Brainstorming session with the project team' because it seems collaborative and proactive, but they fail to recognize that for technical data security risks, a structured, visual analysis like a DFD review is far more precise and complete.

How to eliminate wrong answers

Option A is wrong because a risk register from past projects captures generic historical risks but cannot reveal the unique data flows, integration points, or PCI DSS compliance gaps specific to this new POS system. Option B is wrong because a brainstorming session with the project team relies on subjective, unstructured input and may overlook subtle data-handling vulnerabilities that only a systematic diagram-based analysis can expose. Option D is wrong because SWOT analysis evaluates strengths, weaknesses, opportunities, and threats at a strategic level, not the granular technical details of payment data movement and storage required for PCI DSS risk identification.

119
MCQhard

A technology startup is developing a mobile payment application. During a risk identification workshop, the team identifies a risk that the application may not comply with Payment Card Industry Data Security Standard (PCI DSS) requirements. What is the BEST way to categorize this risk?

A.Compliance risk.
B.Strategic risk.
C.Operational risk.
D.Reputational risk.
AnswerA

Non-compliance with PCI DSS is a direct regulatory risk.

Why this answer

Non-compliance with PCI DSS is a direct violation of regulatory requirements, making it a compliance risk. For a mobile payment application handling cardholder data, PCI DSS mandates specific security controls (e.g., encryption of PAN, access controls, logging). Failure to meet these standards exposes the startup to fines, legal sanctions, and potential loss of the ability to process payments.

Exam trap

The trap here is that candidates confuse the primary risk category (compliance) with the potential business impact (reputational or operational), but CRISC expects the root cause—failure to meet a regulatory standard—to be classified as compliance risk.

How to eliminate wrong answers

Option B (Strategic risk) is wrong because strategic risk relates to high-level business decisions (e.g., entering a new market, choosing a technology stack) that affect long-term goals, not a specific regulatory mandate. Option C (Operational risk) is wrong because operational risk involves failures in day-to-day processes, systems, or human error (e.g., server downtime, transaction processing errors), not a compliance gap. Option D (Reputational risk) is wrong because reputational risk is a consequence of other risks (e.g., a data breach from non-compliance), not the primary categorization of the risk itself.

120
Matchingmedium

Match each compliance framework to its primary focus.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Information security management system

Cybersecurity risk management framework

Payment card data security

Healthcare data privacy and security

Why these pairings

Different frameworks address specific regulatory or industry requirements.

121
MCQhard

You are the IT risk manager for a mid-sized e-commerce company that processes over 10,000 transactions per day. The company recently migrated its customer database from an on-premises SQL Server to a cloud-based PostgreSQL instance on AWS RDS. The database contains personally identifiable information (PII) including names, addresses, and credit card numbers (stored as encrypted tokens). The migration was performed by the DevOps team with minimal involvement from the security team. Two weeks after the migration, the company experienced a data breach where an attacker exfiltrated a subset of customer records. The forensic investigation revealed that the attacker exploited a misconfigured security group that allowed inbound traffic from the internet on port 5432 (PostgreSQL default port). Additionally, the database had a publicly accessible endpoint, and the master user password was weak (eight characters, no special characters). The attacker used a brute-force attack to guess the password. The security group has since been corrected, and the password has been changed to a strong one. The breach notification laws require reporting within 72 hours. The CEO wants to understand the root cause and prevent recurrence. As the risk manager, which of the following actions should you recommend as the MOST effective to prevent a similar incident?

A.Implement infrastructure-as-code (IaC) security scanning and policy enforcement in the CI/CD pipeline to prevent insecure configurations.
B.Deploy an intrusion detection system (IDS) to monitor database traffic for brute-force attempts.
C.Hire a dedicated database administrator to review all database configurations weekly.
D.Conduct quarterly security audits of cloud infrastructure configurations.
AnswerA

Automated enforcement prevents misconfigurations from being deployed.

Why this answer

Option C is correct because the root cause is the misconfigured security group and weak password, both of which stem from insufficient security review and lack of automated controls. Implementing a policy-as-code tool that enforces security group rules (e.g., no public access to databases) and password policies during deployment would prevent such misconfigurations. Option A is wrong because while a dedicated DBA could help, it does not address the process gap for automated enforcement.

Option B is wrong because quarterly reviews are too infrequent to catch misconfigurations quickly. Option D is wrong because IDS/IPS detects attacks but does not prevent misconfigurations.

122
MCQmedium

You are a risk analyst for a financial institution that uses a legacy mainframe system for core banking transactions. The mainframe is critical for daily operations, but it is no longer supported by the vendor. The system has known vulnerabilities that cannot be patched due to compatibility issues. The institution has a risk appetite that is very low for any disruption to core banking services. Recently, there was a minor outage caused by a hardware failure, which was resolved quickly, but it highlighted the system's fragility. The IT director proposes to migrate to a modern system, but the migration will take 2 years and cost $5 million. The board is concerned about the cost and timeline. You need to recommend an immediate risk treatment to reduce the likelihood of a major outage while the migration is underway. Which of the following is the BEST course of action?

A.Accept the risk because the migration plan is in place.
B.Implement redundant hardware for critical components and conduct regular failover testing.
C.Negotiate with the vendor for extended support.
D.Purchase business interruption insurance to cover potential losses.
AnswerB

Redundancy reduces the likelihood of a single point of failure and testing ensures readiness.

Why this answer

Option B is correct because implementing redundant hardware for critical components and conducting regular failover testing directly reduces the likelihood of a major outage by addressing the single point of failure exposed by the recent hardware failure. This is an immediate risk treatment that does not depend on the 2-year migration timeline, and it aligns with the institution's very low risk appetite for core banking disruption.

Exam trap

The trap here is that candidates may choose option D (insurance) because it seems like a quick financial fix, but CRISC emphasizes that risk treatment must first address likelihood reduction before considering financial transfer, especially when the risk appetite is very low.

How to eliminate wrong answers

Option A is wrong because simply accepting the risk while the migration is underway ignores the immediate fragility highlighted by the recent outage and the known unpatched vulnerabilities; risk acceptance is not appropriate when the risk appetite is very low and a treatment is feasible. Option C is wrong because the system is no longer supported by the vendor, so negotiating for extended support is unlikely to succeed or may only provide limited, costly patches that do not address the hardware fragility; it also does not reduce the likelihood of a hardware-related outage. Option D is wrong because purchasing business interruption insurance only transfers the financial impact of a major outage, not the likelihood of it occurring; it does nothing to reduce the probability of a disruption, which is the primary concern given the very low risk appetite.

123
Multi-Selecthard

Which THREE of the following are essential components of a risk register that should be documented during risk identification? (Select exactly 3.)

Select 3 answers
A.Quantified monetary impact
B.Risk owner
C.Root cause
D.Mitigation plan
E.Risk description
AnswersB, C, E

Assigning an owner ensures accountability for managing the risk.

Why this answer

The risk register is a foundational artifact in IT risk management, and during the identification phase, its essential components are the risk description (to uniquely identify the risk), the risk owner (to assign accountability), and the root cause (to understand the underlying source). These three elements are documented before any quantitative analysis or mitigation planning occurs, as they form the basis for subsequent risk assessment and response.

Exam trap

The trap here is that candidates often confuse the risk identification phase with the risk assessment phase, selecting 'Quantified monetary impact' because they think it is needed upfront, when in fact it is only determined after the risk has been identified and analyzed.

124
MCQmedium

A hospital uses a patient portal that allows patients to access their medical records. The portal has experienced multiple brute-force login attempts. The risk manager wants to identify the most critical risk scenario. Which of the following should be prioritized?

A.Denial of service due to excessive login attempts.
B.Unauthorized access to patient medical records.
C.Insufficient encryption of data in transit.
D.Phishing attacks targeting portal users.
AnswerB

Breach of medical records can lead to legal penalties, identity theft, and harm to patients.

Why this answer

The most critical risk scenario from brute-force login attempts is unauthorized access to patient medical records, as this directly compromises patient privacy and violates HIPAA regulations. While denial of service is a concern, the primary impact of successful brute-force attacks is data breach, not service availability. The risk manager must prioritize the confidentiality of protected health information (PHI) over other operational risks.

Exam trap

The trap here is that candidates may focus on the immediate technical symptom (denial of service) rather than the primary business impact (unauthorized data access), which is the core of risk identification in CRISC.

How to eliminate wrong answers

Option A is wrong because denial of service from excessive login attempts is a temporary availability issue, not the most critical risk; brute-force attacks primarily aim to gain access, not to overwhelm the system, and rate limiting or account lockout policies can mitigate DoS. Option C is wrong because insufficient encryption of data in transit is a separate vulnerability related to data exposure during transmission (e.g., missing TLS), not directly caused by brute-force login attempts; the question focuses on the consequence of brute-force attacks, not encryption weaknesses. Option D is wrong because phishing attacks are a different attack vector involving social engineering to steal credentials, not a direct result of brute-force attempts; the scenario explicitly describes brute-force login attempts, not phishing.

← PreviousPage 2 of 2 · 124 questions total

Ready to test yourself?

Try a timed practice session using only IT Risk Identification questions.