CCNA Risk Response and Mitigation Questions

71 questions · Risk Response and Mitigation · All types, answers revealed

1
MCQmedium

A risk assessment reveals that the cost of implementing a control ($500k) exceeds the annualized loss expectancy (ALE) of $300k. The risk is currently within the organization's risk appetite. What is the appropriate risk response?

A.Accept the risk
B.Implement the control
C.Avoid the risk
D.Transfer the risk
AnswerA

Acceptance is justified when mitigation is not cost-effective.

Why this answer

Option C is correct because accepting the risk is cost-effective when control cost exceeds ALE and risk is within appetite. Options A, B, and D are incorrect.

2
MCQeasy

A company has identified a critical vulnerability in a legacy application that cannot be patched immediately. The application is used by a small number of users and supports a non-critical business process. Which of the following is the MOST appropriate risk response strategy?

A.Avoidance
B.Transfer
C.Acceptance
D.Mitigation
AnswerC

Acceptance is appropriate when risk is low impact and cannot be mitigated or transferred easily.

Why this answer

Option B is correct because acceptance is the appropriate response when the risk is low impact and cannot be mitigated or transferred easily. Option A is wrong because avoidance would mean decommissioning the application which is not necessary. Option C is wrong because transfer would require insurance or outsourcing which is not cost-effective.

Option D is wrong because mitigation would involve patching which is not possible.

3
Multi-Selecthard

An organization assesses a risk of intellectual property theft through email exfiltration. They decide to enforce DLP controls, purchase a cyber liability policy, and officially accept the residual risk after controls. Which THREE risk response options are demonstrated?

Select 3 answers
A.Avoid
B.Reduce
C.Mitigate
D.Accept
E.Transfer
AnswersC, D, E

DLP controls mitigate the risk.

Why this answer

Options A, C, and D are correct: Accept residual risk, Transfer via insurance, Mitigate via DLP. Options B and E are not used.

4
MCQmedium

After implementing a set of controls, the risk owner calculates the residual risk and finds it is still above the risk tolerance. However, the cost to further reduce the risk exceeds the potential loss. What is the MOST appropriate next step?

A.Formally accept the residual risk
B.Re-assess the inherent risk
C.Reduce current controls to lower costs
D.Implement additional controls despite the cost
AnswerA

Acceptance with sign-off is appropriate when mitigation is too costly.

Why this answer

Option B is correct because when additional mitigation is cost-prohibitive, acceptance with formal sign-off is appropriate. Option A is wrong as implementing further controls is not cost-effective. Option C is wrong because reducing controls would increase risk.

Option D is wrong because re-assessing inherent risk doesn't change the situation.

5
MCQmedium

An organization's security team recommends implementing a web application firewall (WAF) to protect against SQL injection attacks. The risk manager evaluates the cost of the WAF and the likelihood of a successful attack. This evaluation is BEST described as:

A.Residual risk calculation
B.Inherent risk assessment
C.Cost-benefit analysis
D.Risk acceptance
AnswerC

Comparing cost of control to expected loss is cost-benefit analysis.

Why this answer

Option D is correct because cost-benefit analysis compares the cost of controls against the expected loss. Option A is wrong because risk acceptance is a decision. Option B is wrong because residual risk exists after controls.

Option C is wrong because inherent risk is before controls.

6
MCQhard

A company has implemented a risk mitigation plan that includes technical controls. However, six months later, the residual risk is still higher than expected. The risk practitioner suspects that the controls are not being followed. Which of the following is the BEST approach to verify this?

A.Perform a new risk assessment
B.Interview control owners
C.Review risk register updates
D.Conduct a control testing and audit review
AnswerD

Testing provides direct evidence of control operation.

Why this answer

Conducting a control testing and audit review directly assesses whether controls are operating as intended. Option A is indirect. Option C does not verify effectiveness.

Option D is too broad.

7
MCQeasy

A security team identifies a critical vulnerability in a web application that cannot be patched immediately. They deploy a web application firewall (WAF) to block exploitation attempts. This is an example of:

A.Risk Transfer
B.Risk Mitigation
C.Risk Avoidance
D.Risk Acceptance
AnswerB

Deploying a WAF reduces risk, so it is mitigation.

Why this answer

Option A is correct because deploying a WAF reduces the likelihood of exploitation, which is a risk mitigation strategy.

8
MCQmedium

Refer to the exhibit. A risk manager reviews the vulnerability scan output. According to the policy, what is the required risk response?

A.Accept the risk
B.Transfer the risk
C.Avoid by disabling the service
D.Mitigate by patching or compensating controls
AnswerD

Remediation is required.

Why this answer

Option C is correct because the policy mandates remediation (mitigation) for CVSS >= 9.0. Options A, B, and D are inconsistent with the policy.

9
MCQhard

Based on the risk register exhibit, which of the following is the MOST appropriate risk response for R-0042?

A.Mitigate the risk by implementing additional encryption controls
B.Transfer the risk to a third-party insurer
C.Avoid the risk by discontinuing storage of PII
D.Accept the risk and continue monitoring
AnswerD

Since residual risk is below the risk appetite threshold, acceptance is appropriate.

Why this answer

R-0042 is a low-likelihood, low-impact risk involving PII stored with AES-256 encryption and strict access controls. The residual risk is within the organization's risk appetite, making acceptance with continued monitoring the most appropriate response. Mitigation, transfer, or avoidance would introduce unnecessary cost or operational disruption for a risk already well-controlled.

Exam trap

The trap here is that candidates often assume any risk involving PII must be mitigated or avoided, ignoring the risk register's explicit low-likelihood and low-impact ratings and the existing strong controls, which make acceptance the most cost-effective and appropriate response.

How to eliminate wrong answers

Option A is wrong because the risk register shows encryption (AES-256) is already implemented, so adding further encryption controls would provide negligible risk reduction and is not cost-effective. Option B is wrong because transferring the risk to a third-party insurer is typically reserved for high-impact, low-frequency risks (e.g., data breach liability), not for a low-impact, low-likelihood risk already within appetite. Option C is wrong because discontinuing storage of PII would avoid the risk entirely but is a drastic measure that would disrupt business operations and is disproportionate to the low severity of R-0042.

10
MCQeasy

A global manufacturing company is implementing a new ERP system across multiple regions. The project manager has identified a risk that data migration from legacy systems may cause data corruption, leading to production delays. The risk owner proposes conducting a full data reconciliation after migration. However, the IT director argues that this would be too time-consuming and suggests only sampling data for verification. The risk manager must decide on the risk response. The project timeline is tight, and the company has a low tolerance for data integrity issues. Which of the following is the BEST course of action?

A.Accept the risk and proceed with data sampling to save time
B.Avoid the risk by postponing the ERP implementation
C.Implement the full data reconciliation as proposed by the risk owner
D.Transfer the risk by purchasing insurance for data corruption
AnswerC

Full reconciliation directly addresses the risk and aligns with low tolerance for data integrity issues.

Why this answer

Full data reconciliation is the correct risk response because the company has a low tolerance for data integrity issues and the risk of data corruption could cause production delays. While time-consuming, this approach directly mitigates the identified risk by ensuring all migrated data is verified, aligning with the risk appetite. Sampling would leave a margin of error unacceptable for a low-tolerance environment, and the other options either fail to address the risk or are impractical.

Exam trap

The trap here is that candidates may choose data sampling (Option A) as a compromise to save time, overlooking that the company's low tolerance for data integrity issues demands full verification, not a statistical shortcut.

How to eliminate wrong answers

Option A is wrong because accepting the risk with data sampling ignores the company's low tolerance for data integrity issues and could leave undetected corruption that causes production delays. Option B is wrong because avoiding the risk by postponing the ERP implementation is an extreme overreaction that does not address the immediate need for migration and would cause significant business disruption. Option D is wrong because transferring the risk via insurance does not prevent data corruption or production delays; it only provides financial compensation after the fact, which does not meet the requirement for data integrity.

11
Multi-Selectmedium

A company has a critical production system with a known vulnerability. Due to the system's age, the vendor no longer supports it. The company decides to implement network segmentation and purchase cyber insurance to cover potential losses. Which TWO risk response options are they applying?

Select 2 answers
A.Accept
B.Transfer
C.Avoid
D.Ignore
E.Mitigate
AnswersB, E

Insurance transfers financial risk.

Why this answer

Options C and D are correct: Mitigate via segmentation and Transfer via insurance. Options A, B, and E are not applied.

12
MCQhard

A multinational corporation is evaluating a new vendor for cloud services. The vendor's data centers are located in a country with weak data protection laws. The corporation's data includes personal information of EU citizens subject to GDPR. What is the MOST appropriate risk response?

A.Avoid by choosing a vendor in a country with strong data protection laws
B.Require the vendor to sign standard contractual clauses and encrypt all data
C.Accept the risk because the vendor offers the best price
D.Purchase cyber insurance to cover potential fines
AnswerB

This mitigates risk to an acceptable level under GDPR.

Why this answer

Option A is correct because GDPR requires adequate safeguards; contractual clauses and data encryption can mitigate the risk. Option B is wrong as insurance does not cover regulatory fines. Option C is wrong as acceptance may lead to non-compliance.

Option D is wrong as avoidance may not be practical if the vendor is the best option.

13
MCQhard

After implementing security controls, a risk assessment shows a residual risk of data exfiltration with a probability of 5% and potential loss of $10 million. The organization's risk appetite allows a maximum acceptable risk level of 3% probability for such impact. The cost of further mitigation is $1 million. What is the best risk response?

A.Implement additional controls to reduce probability to 2%
B.Accept the residual risk
C.Purchase cybersecurity insurance
D.Discontinue the process
AnswerA

Further mitigation brings risk within appetite.

Why this answer

Option C is correct because the residual risk exceeds the risk appetite, so additional mitigation is required regardless of cost-benefit. Option A is wrong because the risk is outside appetite. Option B may reduce impact but not probability; appetite is based on probability.

Option D is overly disruptive.

14
MCQeasy

A risk assessment reveals that a data center is located in a flood-prone area. The organization decides to build a secondary data center in a different region and replicate critical data between both sites. This is an example of which risk response?

A.Risk acceptance
B.Risk mitigation
C.Risk avoidance
D.Risk transfer
AnswerB

Mitigation reduces risk through controls like replication.

Why this answer

Option C is correct because mitigation involves reducing risk through controls like redundancy. Option A is wrong because avoidance would mean moving the primary data center. Option B is wrong because transfer would involve insurance.

Option D is wrong because acceptance would mean doing nothing.

15
MCQeasy

Refer to the exhibit. A risk practitioner is reviewing the access control list for a critical server. The ACL is applied inbound on the interface connecting to the internet. Which of the following is the MOST significant risk?

A.The ACL permits all HTTPS and DNS traffic from the subnet, increasing attack surface
B.The ACL has no logging enabled
C.The ACL is missing a permit statement for HTTP
D.The ACL blocks all traffic from the internet
AnswerA

Broad permits may allow unauthorized traffic.

Why this answer

Option A is correct because permitting all HTTPS (TCP/443) and DNS (UDP/53) traffic from any source on the internet to the critical server unnecessarily exposes the server to potential exploitation of vulnerabilities in the web server software (e.g., Apache, Nginx) and DNS resolver services. This broad permit statement increases the attack surface significantly, as HTTPS and DNS are common vectors for attacks such as SQL injection, cross-site scripting, and DNS amplification or tunneling. The risk is heightened because the ACL is applied inbound on the internet-facing interface, meaning all external traffic matching these protocols is allowed without restriction, bypassing any stateful inspection or application-layer filtering.

Exam trap

The trap here is that candidates often focus on missing logging (option B) or missing HTTP (option C) as the most critical issue, but the real risk is the overly permissive ACL that allows all HTTPS and DNS traffic from any source, which dramatically increases the attack surface and is a classic misconfiguration in ACL design.

How to eliminate wrong answers

Option B is wrong because the absence of logging is a monitoring deficiency, not the most significant risk; logging is important for forensic analysis but does not directly increase the attack surface or allow malicious traffic. Option C is wrong because HTTP (TCP/80) is not explicitly permitted, but this is a lesser risk compared to allowing all HTTPS and DNS traffic, as HTTP traffic would be blocked by default (implicit deny) and does not expose the server to the same volume of potential attacks. Option D is wrong because blocking all traffic from the internet would actually reduce risk by preventing external access entirely, though it may break legitimate business functionality; however, the question asks for the most significant risk, and blocking all traffic is a security measure, not a risk.

16
MCQmedium

Refer to the exhibit. An organization uses this firewall access list. What is the MOST significant risk associated with this configuration?

A.The final rule denies all traffic
B.HTTPS traffic is permitted to any destination
C.SSH access is only allowed from internal network
D.HTTP traffic is permitted from any source to any destination
AnswerD

Unrestricted HTTP exposure is risky.

Why this answer

Option D is correct because the rule permit tcp any any eq 80 allows unrestricted HTTP access from any source, increasing exposure to web attacks. Option A is wrong because SSH is restricted to internal network. Option B is wrong because HTTPS is needed for web traffic.

Option C is wrong because the deny all rule is proper.

17
MCQmedium

A multinational corporation has adopted a risk mitigation strategy for its key suppliers by requiring them to maintain ISO 27001 certification. During an audit, the risk manager discovers that one critical supplier lost its certification six months ago but did not report it, as contractually required. The supplier still has adequate security controls in place, and the relationship is strategically important. The CEO wants to avoid contract termination. What is the MOST appropriate risk response?

A.Issue a corrective action plan requiring the supplier to regain certification within three months, with monthly progress reviews.
B.Transfer the risk to the supplier's cyber liability insurance policy.
C.Accept the risk because the supplier still has effective controls, and update the risk register.
D.Terminate the contract immediately and find an alternative supplier.
AnswerA

This enforces the contract and restores the intended risk mitigation.

Why this answer

Option A is correct because it directly addresses the contractual breach with a remediation plan while keeping the supplier. Option B is wrong because acceptance disregards the contractual requirement. Option C is wrong because termination may be too severe and disrupt operations.

Option D is wrong because transferring risk to the supplier's insurance does not restore certification.

18
MCQhard

A third-party vendor's security assessment reveals multiple high-risk findings related to data handling. The vendor is unwilling to remediate, citing cost. The vendor contract includes a clause that requires adherence to security standards. The organization's risk appetite for third-party risk is low. What is the most appropriate risk response?

A.Avoid by terminating the contract
B.Mitigate by reducing data shared
C.Transfer via insurance
D.Accept the risk and monitor
AnswerA

Termination eliminates the risk.

Why this answer

Option A is correct because avoidance by terminating the contract addresses the risk directly. Options B, C, and D do not fully resolve the risk given the low appetite.

19
Matchingmedium

Match each risk management process step to its activity.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Find and list potential risks

Determine likelihood and impact

Compare risk levels to risk criteria

Select and implement controls

Why these pairings

These steps form the core risk management process per ISACA.

20
MCQeasy

During a risk assessment, the risk owner identifies that the residual risk level is higher than the risk appetite. Which of the following actions should the risk owner take FIRST?

A.Update the risk register
B.Escalate to senior management
C.Implement additional controls
D.Reduce the risk appetite
AnswerB

Residual risk exceeding appetite requires senior management decision.

Why this answer

Option C is correct because the first step is to escalate to senior management as residual risk exceeding appetite requires their approval. Option A is wrong because updating the risk register does not address the issue. Option B is wrong because increasing controls may not be feasible.

Option D is wrong because reducing appetite without addressing risk is not appropriate.

21
Multi-Selecteasy

Which TWO of the following are examples of risk mitigation controls?

Select 2 answers
A.Implementing a firewall
B.Purchasing cyber insurance
C.Accepting the risk
D.Encrypting sensitive data
E.Discontinuing a high-risk service
AnswersA, D

Mitigation reduces risk through preventive controls.

Why this answer

Option A and D are correct. A firewall is a preventive control to mitigate network threats. Encryption protects data.

Option B is wrong because insurance is a risk transfer. Option C is wrong because accepting risk is not mitigation. Option E is wrong because avoiding risk means not engaging in the activity.

22
Multi-Selecthard

Which TWO of the following are valid reasons to accept a risk rather than mitigate it?

Select 2 answers
A.Management is not aware of the risk
B.The risk relates to regulatory non-compliance
C.The risk level is within the risk appetite
D.The organization wants to avoid the risk entirely
E.The cost of mitigation is higher than the potential loss
AnswersC, E

Acceptance is appropriate when within appetite.

Why this answer

Options A and E are correct. If mitigation cost exceeds potential loss, acceptance is cost-effective. If risk is within appetite, acceptance is appropriate.

Option B is wrong because lack of awareness is not valid. Option C is wrong because avoidance is a different response. Option D is wrong because regulatory risk should be mitigated or avoided.

23
MCQhard

An organization uses a legacy system that cannot be patched because the vendor is defunct. The system supports a core business function. The risk assessment shows a high likelihood of exploitation and high impact. The board has decided to keep the system operational due to its criticality. Which risk response should the risk manager recommend?

A.Accept the risk
B.Implement compensating controls
C.Transfer via insurance
D.Avoid by decommissioning
AnswerB

Controls like segmentation and monitoring reduce the risk.

Why this answer

Option B is correct because compensating controls mitigate the risk without replacing the system. Options A, C, and D are either unacceptable or impractical.

24
Multi-Selecteasy

A risk practitioner is reviewing the organization's risk response strategies for a high-value asset. Which TWO of the following are examples of risk mitigation techniques? (Choose two.)

Select 2 answers
A.Implementing firewalls to protect the network perimeter.
B.Conducting regular vulnerability assessments and patching.
C.Avoiding the risk by discontinuing the vulnerable activity.
D.Accepting the risk because the cost of mitigation exceeds the potential loss.
E.Purchasing cyber insurance to cover potential losses.
AnswersA, B

Correct: Firewalls reduce the likelihood of network-based attacks, which is a mitigation technique.

Why this answer

Implementing firewalls to protect the network perimeter is a risk mitigation technique because it reduces the likelihood of unauthorized access by filtering traffic based on security rules. Firewalls operate at layers 3 and 4 (and sometimes layer 7) of the OSI model, using stateful inspection or application-layer filtering to block malicious packets. This directly lowers the probability of a successful attack on the high-value asset, which is the essence of mitigation.

Exam trap

The trap here is that candidates often confuse risk mitigation with risk transfer (insurance) or risk acceptance, failing to recognize that mitigation involves active controls (like firewalls and patching) that reduce the risk level, not just financial compensation or inaction.

25
Drag & Dropmedium

Order the steps for implementing a risk treatment plan.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Risk treatment starts with selecting response, planning, approval, implementation, and monitoring.

26
Multi-Selectmedium

A risk assessment for a financial trading platform has identified a high-risk vulnerability in the order matching engine. The risk owner has recommended implementing compensating controls rather than fixing the underlying code. Which TWO of the following are valid compensating controls? (Choose two.)

Select 2 answers
A.Rewrite the order matching engine in a memory-safe language
B.Deploy a Web Application Firewall (WAF) to block malicious payloads
C.Enable detailed logging for all order matching transactions
D.Require manual approval for all orders above a threshold
E.Implement rate limiting on order submissions
AnswersD, E

Manual approval adds a human verification step, reducing the impact of a potential exploit.

Why this answer

Option D is correct because requiring manual approval for orders above a threshold directly reduces the impact of a successful exploit by preventing large-scale financial loss, even if the underlying code vulnerability remains unpatched. This compensating control shifts the risk acceptance decision to a human operator, effectively adding a business logic layer that can catch anomalous or malicious order matching attempts. Option E is correct because rate limiting on order submissions mitigates the risk of an attacker exploiting the vulnerability to submit a high volume of malicious orders, thereby limiting the blast radius and preventing denial-of-service or market manipulation scenarios.

Exam trap

The trap here is that candidates confuse detective controls (logging) or remediation (rewriting code) with compensating controls, failing to recognize that a compensating control must actively reduce risk without fixing the original vulnerability.

27
MCQmedium

Based on the exhibit, which risk response should be prioritized?

A.Implement account lockout policy
B.Avoid by taking the server offline
C.Accept the risk because it's only a single server
D.Transfer the risk to a cloud provider
AnswerA

Account lockout reduces the effectiveness of brute-force attacks.

Why this answer

Option A is correct because implementing account lockout directly addresses the threat of brute-force attacks, which is mitigation.

28
MCQmedium

A bank implements a new transaction monitoring system to detect fraudulent activities. After six months, the system has a high false positive rate, causing analysts to miss real threats. Which of the following is the BEST way to address this risk?

A.Accept the false positives as a cost of doing business
B.Tune the system to reduce false positives
C.Remove the monitoring system to focus on other controls
D.Hire additional analysts to review all alerts
AnswerB

Tuning improves detection accuracy.

Why this answer

Option C is correct because tuning the system reduces false positives, improving effectiveness. Option A is wrong as removal would leave the bank exposed. Option B is wrong as hiring more analysts does not fix the root cause.

Option D is wrong as ignoring false positives would increase risk.

29
MCQmedium

During a review, a risk practitioner discovers that a key control for a high-risk process is not operating effectively. The risk owner is reluctant to invest in additional controls due to budget constraints. What should the risk practitioner do FIRST?

A.Accept the risk owner's decision
B.Document the deficiency and move on
C.Communicate the risk exposure to senior management
D.Escalate directly to the board
AnswerC

Senior management needs to be aware of the risk and decide on additional funding.

Why this answer

Option C is correct because the risk practitioner's primary duty is to ensure that senior management is aware of material risk exposures that could impact business objectives. When a key control for a high-risk process is ineffective and the risk owner refuses to remediate due to budget constraints, the practitioner must communicate the residual risk exposure to senior management, who have the authority to allocate resources and make strategic risk acceptance decisions. This aligns with the CRISC framework's emphasis on escalating risk information to the appropriate decision-making level when the risk owner's response is inadequate.

Exam trap

The trap here is that candidates confuse 'documenting the deficiency' (Option B) with completing the risk management process, but CRISC requires active communication of risk exposure to the appropriate authority, not just passive recording.

How to eliminate wrong answers

Option A is wrong because accepting the risk owner's decision without further action would violate the risk practitioner's responsibility to ensure that risk acceptance is based on complete and accurate information; the risk owner's budget-driven refusal does not constitute a valid risk acceptance decision without senior management's informed consent. Option B is wrong because simply documenting the deficiency and moving on fails to address the material risk exposure; documentation is necessary but not sufficient—the practitioner must actively communicate the risk to those who can authorize additional controls or formally accept the risk. Option D is wrong because escalating directly to the board bypasses the proper escalation chain; the board should only be involved for strategic-level risks or after senior management has been informed and has failed to act, not as a first step.

30
MCQmedium

Refer to the exhibit. Based on the risk register, which risk response is applied to the risk with the highest inherent risk?

A.Transfer
B.Avoid
C.Accept
D.Mitigate
AnswerA

Risk-001 uses Transfer.

Why this answer

Option B is correct because Risk-001 has inherent High and its response is Transfer. Options A, C, and D are incorrect.

31
Matchingmedium

Match each risk response strategy to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Eliminate the activity that causes the risk

Reduce the likelihood or impact of the risk

Shift the risk to a third party, e.g., insurance

Acknowledge the risk and take no further action

Why these pairings

These are the four primary risk response options per ISACA.

32
MCQhard

Refer to the exhibit. Given the organization's risk appetite is Low, which risk response is most appropriate?

A.Accept the current residual risk because it is Medium.
B.Avoid the risk by discontinuing operations.
C.Transfer the risk via insurance.
D.Implement additional monitoring to reduce residual risk to Low.
AnswerD

Correct: This aligns with the low risk appetite by reducing residual risk to an acceptable level.

Why this answer

With a Low risk appetite, the organization requires residual risk to be Low. Option D proposes implementing additional monitoring to reduce the Medium residual risk to Low, which aligns with the risk appetite. This is a corrective response that mitigates the risk without unnecessary business disruption.

Exam trap

ISACA often tests the misconception that transferring risk (e.g., insurance) eliminates the risk itself, when in fact it only covers financial loss, leaving the operational risk level unchanged.

How to eliminate wrong answers

Option A is wrong because accepting a Medium residual risk violates the organization's Low risk appetite; acceptance is only appropriate when residual risk is within appetite. Option B is wrong because avoiding the risk by discontinuing operations is an extreme and disproportionate response that unnecessarily halts business functions when a less drastic mitigation (like monitoring) can achieve the required risk level. Option C is wrong because transferring risk via insurance does not reduce the inherent or residual risk level; it only shifts financial impact, leaving the operational risk still at Medium, which still violates the Low risk appetite.

33
MCQmedium

After implementing a new web application, the risk owner reports that the residual risk level is still above the risk appetite. Which of the following should be the risk practitioner's FIRST action?

A.Re-evaluate risk treatment options with the risk owner
B.Escalate directly to the board
C.Update the risk register to reflect the residual risk
D.Accept the residual risk
AnswerA

The practitioner should collaborate with the risk owner to identify additional controls or modify existing ones.

Why this answer

When residual risk remains above the risk appetite after treatment, the risk practitioner must first re-evaluate the existing risk treatment options with the risk owner. This collaborative review identifies whether additional controls (e.g., stricter input validation, rate limiting, or Web Application Firewall tuning) can further reduce the risk to an acceptable level before considering escalation or acceptance.

Exam trap

The trap here is that candidates often confuse the urgency of residual risk with the need to immediately escalate or accept it, when the correct first step is to revisit treatment options with the risk owner to see if further controls can close the gap.

How to eliminate wrong answers

Option B is wrong because escalating directly to the board bypasses the proper risk management process; the board should only be informed after all feasible treatment options have been exhausted and documented. Option C is wrong because updating the risk register to reflect residual risk is a documentation step that should occur after determining the final risk response, not as the first action. Option D is wrong because accepting residual risk above the risk appetite without first exploring additional mitigation measures violates the principle of risk reduction and could lead to unacceptable exposure.

34
MCQmedium

An employee with access to sensitive financial data has been observed accessing systems outside of normal working hours and exhibiting erratic behavior. The IT risk manager suspects insider threat. What is the most appropriate risk response?

A.Terminate the employee immediately
B.Implement additional monitoring and restrictions
C.Accept the risk as the employee is trusted
D.Transfer via fidelity insurance
AnswerB

Mitigation through controls reduces the risk.

Why this answer

Option D is correct because monitoring and restrictions address the risk without premature termination. Options A, B, and C are either too harsh or insufficient.

35
Multi-Selectmedium

Which TWO of the following are examples of risk avoidance? (Select TWO.)

Select 2 answers
A.Accepting the risk
B.Installing a firewall
C.Deciding not to enter a new market
D.Purchasing insurance
E.Discontinuing a risky product line
AnswersC, E

Not entering the market avoids the associated risks.

Why this answer

Options C and D are correct because discontinuing a product and not entering a market both eliminate the risk by avoiding the activity.

36
MCQhard

An organization is considering outsourcing its IT support to a third-party provider. The risk manager has identified that the provider's data handling practices may not comply with regulatory requirements. Which of the following is the BEST risk response strategy?

A.Mitigate by regularly monitoring the provider
B.Avoid by keeping IT support in-house
C.Transfer the risk through the outsourcing contract
D.Accept the risk because the provider is cheaper
AnswerB

Avoidance is appropriate when compliance cannot be assured.

Why this answer

Option D is correct because the most effective response is to avoid by not outsourcing if compliance cannot be ensured. Option A is wrong because transferring via contract may not be sufficient. Option B is wrong because mitigation through monitoring may not ensure compliance.

Option C is wrong because acceptance is not appropriate when regulatory non-compliance is possible.

37
MCQeasy

An organization decides to outsource its data center operations to a third party. This is an example of which risk response?

A.Risk reduction
B.Risk transfer
C.Risk acceptance
D.Risk avoidance
AnswerB

Outsourcing transfers operational risk to the third party.

Why this answer

Outsourcing data center operations transfers the financial and operational risks associated with managing the infrastructure to a third-party provider. This is a classic risk transfer response because the organization retains ownership of the data and business accountability but shifts the liability for physical security, hardware maintenance, and uptime to the vendor via contractual agreements, such as SLAs with penalty clauses.

Exam trap

The trap here is that candidates confuse risk transfer with risk reduction, mistakenly thinking that outsourcing reduces the risk of hardware failure, when in fact it only shifts the financial liability for that failure, not the operational impact on the business.

How to eliminate wrong answers

Option A is wrong because risk reduction involves implementing controls to lower the likelihood or impact of a risk, such as deploying redundant power supplies or fire suppression systems, not outsourcing operations. Option C is wrong because risk acceptance means formally acknowledging the risk and choosing to bear it without additional action, which contradicts the active decision to engage a third party. Option D is wrong because risk avoidance would mean ceasing the activity that generates the risk, such as shutting down the data center entirely, rather than transferring its management to another entity.

38
MCQmedium

An organization has a policy requiring all sensitive data to be encrypted at rest. During an audit, it is found that encryption keys are stored in plaintext on the same server. Which risk response is MOST appropriate?

A.Avoid by removing the data
B.Mitigate by encrypting the key file
C.Accept the risk because encryption is still applied
D.Transfer the risk to a cloud provider
AnswerB

Encrypting the keys protects them, reducing the risk of unauthorized decryption.

Why this answer

Option B is correct because encrypting the key file directly addresses the vulnerability, which is mitigation.

39
Drag & Dropmedium

Sequence the steps for implementing a new control based on risk assessment findings.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Control implementation involves design, procurement/build, testing, deployment, and monitoring.

40
MCQhard

Based on the exhibit, which risk is most likely present and what is the most appropriate risk response?

A.Risk of cost; set a budget alert
B.Risk of data exposure; apply a deny rule to restrict access
C.Risk of availability; implement backup
D.No risk; the policy is standard
AnswerB

The policy allows public read access, risking data leakage. A deny rule would mitigate.

Why this answer

Option A is correct because the policy allows anyone to read objects, leading to data exposure; the appropriate response is to apply a deny rule or restrict access.

41
MCQhard

A company faces a risk of data loss due to untrained staff. They implement mandatory training and quarterly phishing simulations. This is:

A.Risk Avoidance
B.Risk Acceptance
C.Risk Mitigation
D.Risk Transfer
AnswerC

Training reduces the probability of incidents, thus mitigating risk.

Why this answer

Option C is correct because training reduces the likelihood of human error, which is a mitigation technique.

42
MCQeasy

For a risk with very low likelihood and low impact, what is the typical risk response?

A.Mitigate
B.Transfer
C.Avoid
D.Accept
AnswerD

Acceptance is the default for low risks.

Why this answer

Option D is correct because such risks are usually accepted as the cost of response would outweigh the benefit. Options A, B, and C are excessive.

43
Multi-Selectmedium

Which TWO of the following are effective risk mitigation strategies for reducing the likelihood of a ransomware attack?

Select 2 answers
A.Installing intrusion detection systems
B.Conducting periodic vulnerability scans
C.Regularly backing up critical data
D.Deploying network segmentation
E.Implementing user awareness training
AnswersD, E

Segmentation limits the spread of ransomware, reducing likelihood of widespread infection.

Why this answer

Deploying network segmentation (D) reduces the likelihood of a ransomware attack by limiting lateral movement. If an endpoint is compromised, segmentation using VLANs or firewall rules (e.g., 802.1Q, ACLs) prevents the ransomware from spreading to critical systems, thereby reducing the attack surface and the probability of widespread encryption. User awareness training (E) directly reduces likelihood by teaching users to recognize phishing emails and malicious attachments, which are the primary initial vectors for ransomware delivery.

Exam trap

The trap here is that candidates confuse recovery controls (backups) with likelihood-reducing mitigations, or they mistake detective controls (IDS, vulnerability scans) for preventive measures that lower the probability of an attack.

44
MCQmedium

A global company uses a critical third-party vendor for data processing. The inherent risk is high, but the vendor has implemented robust controls. However, due to recent geopolitical instability, the vendor's physical location is at risk. The risk owner recommends purchasing a business continuity insurance policy. Which risk response is being applied?

A.Transfer
B.Avoid
C.Accept
D.Mitigate
AnswerA

Insurance transfers the risk to a third party.

Why this answer

Option A is correct because purchasing insurance transfers the financial risk to the insurer. Options B, C, and D do not describe transfer via insurance.

45
Multi-Selecteasy

Which THREE of the following are examples of risk mitigation controls? (Select THREE.)

Select 3 answers
A.Firewall
B.Outsourcing IT helpdesk
C.Encryption
D.Security awareness training
E.Cyber insurance
AnswersA, C, D

Firewalls reduce the likelihood of network attacks.

Why this answer

A firewall is a risk mitigation control because it enforces network security policies by filtering traffic based on rules, thereby reducing the likelihood of unauthorized access or attacks. It directly reduces the probability of a threat exploiting a vulnerability, which is the essence of mitigation.

Exam trap

The trap here is confusing risk mitigation (which reduces likelihood or impact) with risk transfer (which shifts the financial burden to another party), leading candidates to incorrectly select outsourcing or insurance as mitigation controls.

46
MCQhard

You are a risk practitioner at a financial institution that is migrating its core banking system to a cloud provider. The migration plan includes a phased approach, with the first phase moving non-critical applications. However, during the second phase (moving customer-facing applications), the cloud provider experiences a major outage that lasts 6 hours. The outage was caused by a misconfiguration in the provider's network. The institution had conducted a risk assessment and identified cloud provider downtime as a risk, but the treatment plan only included a service level agreement (SLA) with financial penalties. The SLA does not cover the reputational damage and loss of customer trust. The risk register shows that the residual risk level was marked as 'low' before the incident. After the incident, senior management is demanding a review. Which of the following is the MOST appropriate action for the risk practitioner to take?

A.Negotiate a higher penalty in the SLA
B.Initiate a legal claim against the provider
C.Update the risk register to reflect the incident and accept the residual risk
D.Reassess the risk and recommend implementing a multi-cloud architecture for critical applications
AnswerD

Multi-cloud reduces dependency on a single provider and addresses the impact.

Why this answer

Option D is correct because the incident revealed that the existing risk treatment (SLA financial penalties) was insufficient to address the actual impact (reputational damage and loss of customer trust). The risk practitioner must reassess the risk with the new information and recommend a more robust mitigation strategy, such as multi-cloud architecture, to reduce the likelihood or impact of a single provider's outage affecting critical customer-facing applications.

Exam trap

The trap here is that candidates may think updating the risk register (Option C) is sufficient, but CRISC emphasizes that after a risk materializes with greater impact than assessed, the risk must be reassessed and the treatment plan revised, not just documented.

How to eliminate wrong answers

Option A is wrong because negotiating a higher penalty in the SLA still does not address the unmitigated reputational damage and loss of customer trust; financial penalties compensate for direct costs but not intangible impacts. Option B is wrong because initiating a legal claim is a reactive, punitive measure that does not improve future resilience and may be precluded by the SLA's limitation of liability clauses. Option C is wrong because simply updating the risk register to reflect the incident and accepting the residual risk ignores the need to reassess and improve controls after a realized risk that exceeded the accepted level.

47
MCQmedium

During a post-mortem of a security incident, the risk manager notes that the response team failed to execute the incident response plan correctly because the plan was outdated. Which of the following is the BEST corrective action?

A.Conduct a tabletop exercise with the updated plan
B.Add more detective controls
C.Update the risk register
D.Increase insurance coverage
AnswerA

Tabletop exercises test and improve the team's ability to execute the plan.

Why this answer

Option D is correct because conducting a tabletop exercise validates the updated plan and helps prepare the team.

48
MCQhard

A financial institution is implementing a new online banking platform. The risk assessment identified that the platform will handle sensitive customer data and must comply with GDPR and local banking regulations. The project team proposes encrypting all data at rest and in transit, implementing multi-factor authentication (MFA), and conducting quarterly penetration tests. However, the risk owner is concerned about the residual risk of a sophisticated phishing attack that could bypass MFA. The board has a low risk appetite. What is the BEST way to address this residual risk?

A.Purchase cyber insurance to transfer the financial impact of a potential phishing attack.
B.Implement advanced phishing-resistant MFA (e.g., FIDO2) and conduct regular employee phishing simulation training.
C.Reduce the project scope to exclude online banking and revert to a less risky channel.
D.Accept the residual risk because the existing controls (encryption, MFA, pen tests) already provide reasonable assurance.
AnswerB

These controls directly reduce the residual risk of phishing bypassing standard MFA.

Why this answer

Option B is correct because it addresses the specific residual risk with a targeted control (phishing simulations and training) without overcomplicating the project. Option A is wrong because purchasing insurance does not reduce the likelihood of an attack. Option C is wrong because accepting the risk conflicts with the board's low appetite.

Option D is wrong because stopping the project is a disproportionate response to a manageable risk.

49
MCQeasy

A new privacy regulation requires that all personal data be encrypted at rest. The current systems lack encryption. The cost to implement encryption is moderate, and the risk of non-compliance is high. Which risk response is most appropriate?

A.Mitigate by implementing encryption
B.Accept the risk
C.Avoid by discontinuing data processing
D.Transfer via cyber insurance
AnswerA

Encryption directly addresses the vulnerability.

Why this answer

Option B is correct because encryption directly mitigates the risk of non-compliance. Options A, C, and D are less effective or inappropriate.

50
MCQhard

A multinational organization is implementing a risk mitigation strategy for a critical system. The business impact analysis shows that downtime costs are extremely high. Which risk response strategy is MOST appropriate for this scenario?

A.Risk avoidance by decommissioning the system
B.Risk transfer through cyber insurance
C.Risk reduction by implementing redundant systems
D.Risk acceptance because mitigation is too costly
AnswerC

Redundancy reduces both likelihood and impact of downtime.

Why this answer

Given the extremely high downtime costs, the most appropriate risk response is risk reduction through implementing redundant systems. This directly addresses the critical system's availability requirement by eliminating single points of failure, thereby reducing both the likelihood and impact of downtime. Decommissioning the system (avoidance) would eliminate the business function entirely, which is typically not viable for a critical system, while insurance (transfer) only provides financial compensation after the loss, not preventing the operational impact of downtime.

Exam trap

The trap here is that candidates may confuse risk transfer (insurance) as a primary solution for high downtime costs, overlooking that insurance does not prevent the operational impact and lost revenue during the outage itself, which is the core concern in this scenario.

How to eliminate wrong answers

Option A is wrong because risk avoidance by decommissioning the system would eliminate the business function that the critical system supports, which is typically not a viable strategy for a system deemed critical to operations. Option B is wrong because risk transfer through cyber insurance only provides financial reimbursement after a loss event, but does not prevent the extremely high operational downtime costs or the associated business disruption. Option D is wrong because risk acceptance is inappropriate when the business impact analysis shows that downtime costs are extremely high and a cost-effective mitigation (like redundancy) is available.

51
Multi-Selecthard

Which THREE of the following are key components of an effective risk treatment plan?

Select 3 answers
A.Assigned responsibilities
B.Risk acceptance criteria
C.A timeline for implementation
D.The risk owner's signature
E.A detailed budget
AnswersA, B, C

Clear ownership ensures accountability.

Why this answer

Assigned responsibilities are a key component of an effective risk treatment plan because they ensure accountability for implementing specific risk mitigation actions. Without clear ownership, tasks may be delayed or overlooked, undermining the plan's execution. This aligns with the CRISC framework's emphasis on defining roles to operationalize risk response.

Exam trap

The trap here is that candidates confuse supporting artifacts (like budgets or signatures) with the core structural components of the plan, which are defined by ISACA as responsibilities, timelines, and acceptance criteria.

52
Drag & Dropmedium

Put the steps for performing a control self-assessment (CSA) in order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

CSA involves defining scope, identifying controls, assessing effectiveness, gap identification, and reporting.

53
Multi-Selecthard

A risk assessment identifies a high likelihood of a data breach due to insecure APIs. The risk team proposes disabling the APIs until they are secured, implementing a WAF, and purchasing breach insurance. Which THREE risk response options are being considered?

Select 3 answers
A.Remediate
B.Transfer
C.Avoid
D.Mitigate
E.Accept
AnswersB, C, D

Insurance transfers the financial impact.

Why this answer

Options A, C, and D are correct: Avoid (disable), Mitigate (WAF), Transfer (insurance). Options B and E are not proposed.

54
MCQhard

A company is implementing a new cloud-based customer relationship management (CRM) system. The risk manager has identified that the vendor's security controls may not meet the company's requirements. Which of the following is the BEST way to address this risk?

A.Deny the existence of the risk
B.Purchase cyber insurance to cover potential losses
C.Avoid using the cloud CRM system
D.Include security requirements in the contract and perform regular vendor audits
AnswerD

This mitigates risk by enforcing controls.

Why this answer

Option A is correct because contractually requiring the vendor to adhere to security standards and performing audits is a common risk mitigation approach. Option B is wrong as transferring via insurance doesn't reduce the actual risk. Option C is wrong as avoidance by not using the system may be too drastic.

Option D is wrong as denial is not a risk response.

55
MCQeasy

Based on the exhibit, what is the primary risk response strategy demonstrated by this firewall rule?

A.Risk Transfer
B.Risk Acceptance
C.Risk Mitigation
D.Risk Avoidance
AnswerC

The firewall blocks specific IP ranges, reducing the probability of attacks.

Why this answer

Option B is correct because the firewall rule blocks malicious traffic, which reduces risk, i.e., mitigation.

56
MCQhard

GlobalTech Inc., a multinational corporation, is planning to migrate its customer data to a new cloud platform. The migration involves transferring sensitive personally identifiable information (PII) from an on-premises database to a cloud-based CRM. The risk manager conducted a risk assessment and identified several risks, including unauthorized access during transit and residual data exposure due to misconfiguration. Mitigation controls include encryption in transit, encryption at rest, and strict access controls. The residual risk after mitigation is assessed as medium. The risk appetite statement defines that 'No data breach incidents resulting in regulatory fines exceeding $1 million are acceptable.' The estimated potential fine from a breach is $5 million with a likelihood of 2% after controls. The cost of additional controls to reduce likelihood to 0.5% is $500,000. The migrating team proposes to purchase cyber insurance with a $3 million coverage for $200,000 annual premium. The board of directors prefers to accept the residual risk to avoid additional costs. What should the risk manager do?

A.Advise the board to avoid the migration until all risks are eliminated.
B.Recommend purchasing cyber insurance to transfer the risk.
C.Accept the board's decision since the residual risk is medium.
D.Recommend implementing additional controls to reduce likelihood to 0.5%.
AnswerA

Avoidance is the only response that satisfies the risk appetite.

Why this answer

Option D is correct because the potential fine of $5 million exceeds the appetite threshold of $1 million, making the risk unacceptable. The proposed controls and insurance do not reduce the impact below $1 million. Avoidance is the only option that fully aligns with the risk appetite.

Options A, B, and C fail to bring the risk within appetite.

57
MCQeasy

A recent security assessment identified that a critical web application is vulnerable to SQL injection due to unpatched software. The vendor has released a security patch. Which risk response is most appropriate?

A.Mitigate by applying the patch
B.Avoid by taking the application offline
C.Accept the risk
D.Transfer via insurance
AnswerA

Patches remove the vulnerability.

Why this answer

Option A is correct because applying the patch mitigates the vulnerability directly. Options B, C, and D are less effective.

58
MCQmedium

A multinational corporation has recently experienced a significant increase in phishing attacks targeting its employees. The attacks have caused several data breaches, resulting in regulatory fines and reputational damage. The organization has implemented security awareness training for all employees, but the number of successful attacks remains high. Additionally, the organization's risk appetite for cybersecurity incidents is Low. The CRO has asked you to recommend a risk response. You have the following options: A. Accept the risk because the training has reduced the likelihood, and further controls are too expensive. B. Transfer the risk by outsourcing all email and security operations to a managed security service provider (MSSP). C. Implement technical controls such as advanced email filtering and multi-factor authentication (MFA) to reduce the likelihood and impact of phishing attacks. D. Avoid the risk by discontinuing the use of email for business communications. Which course of action is most appropriate given the organization's risk appetite and the current situation?

A.Avoid the risk by discontinuing the use of email for business communications.
B.Accept the risk because the training has reduced the likelihood, and further controls are too expensive.
C.Implement technical controls such as advanced email filtering and multi-factor authentication (MFA) to reduce the likelihood and impact of phishing attacks.
D.Transfer the risk by outsourcing all email and security operations to a managed security service provider (MSSP).
AnswerC

Correct: Technical controls directly reduce likelihood and impact, aligning with low risk appetite.

Why this answer

Option C is correct because implementing technical controls like advanced email filtering (e.g., SPF, DKIM, DMARC validation) and multi-factor authentication (MFA) directly reduces both the likelihood and impact of phishing attacks. Given the organization's low risk appetite for cybersecurity incidents, this risk mitigation approach aligns with the need to lower residual risk to an acceptable level, especially since training alone has proven insufficient.

Exam trap

The trap here is that candidates may choose Option B (transfer) thinking outsourcing removes all risk, but in reality, the organization retains accountability for breaches and regulatory fines, making mitigation (Option C) the most appropriate response given the low risk appetite.

How to eliminate wrong answers

Option A is wrong because accepting the risk contradicts the organization's stated low risk appetite for cybersecurity incidents, and the training has not reduced the likelihood of successful attacks. Option B is wrong because transferring risk to an MSSP does not eliminate the organization's residual liability for regulatory fines and reputational damage, and the MSSP's controls may not fully align with the low risk appetite. Option D is wrong because avoiding the risk by discontinuing email is impractical for a multinational corporation, as email is a critical business communication channel, and this response would cause severe operational disruption without addressing the root cause of phishing.

59
Multi-Selectmedium

Which THREE of the following are key considerations when selecting a risk response option?

Select 3 answers
A.Cost-benefit analysis of controls
B.Impact of the risk without controls
C.Risk appetite of the organization
D.Current control effectiveness
E.Legal and regulatory requirements
AnswersA, C, E

Cost-effectiveness is crucial.

Why this answer

Options A, C, and D are correct. Risk appetite determines acceptable level. Cost of control vs benefit is essential.

Regulatory requirements cannot be ignored. Option B is wrong because current controls are not a selection criterion but part of assessment. Option E is wrong because impact without likelihood gives incomplete view.

60
MCQeasy

A small e-commerce company has identified a high-risk vulnerability in its payment processing system that could expose customer credit card data. The IT team recommends immediately patching the system, but the patch requires a 4-hour downtime during peak sales hours. The risk manager proposes accepting the risk until the next scheduled maintenance window in two weeks. The CEO is concerned about potential fines from PCI DSS non-compliance. What is the BEST course of action?

A.Delay the patch until the next maintenance window but document the risk acceptance with CEO sign-off.
B.Accept the risk and schedule the patch during the next maintenance window as originally planned.
C.Apply the patch immediately during peak hours, accepting the revenue loss from downtime.
D.Implement a compensating control (e.g., web application firewall) and schedule the patch during off-peak hours within 48 hours.
AnswerD

Compensating controls reduce risk while allowing a timely patch without peak-hour disruption.

Why this answer

Option C is correct because it balances the need to address PCI DSS compliance with business continuity. Implementing compensating controls reduces risk while avoiding peak-hour downtime. Option A is wrong because accepting risk ignores compliance obligations.

Option B is wrong because it prioritizes compliance over business impact with excessive downtime. Option D is wrong because postponing until the next window leaves high risk unaddressed.

61
MCQhard

Refer to the exhibit. Which type of attack is MOST likely indicated by these log entries?

A.SQL injection
B.Cross-site scripting (XSS)
C.Cross-site request forgery (CSRF)
D.Brute-force or credential stuffing
AnswerD

Duplicate entry error and login success indicate multiple attempts.

Why this answer

Option C is correct because the duplicate entry error for 'admin' combined with successful login suggests a brute-force or credential stuffing attack where an attacker tries multiple passwords. Option A is wrong because SQL injection would show different errors. Option B is wrong because XSS appears in output.

Option D is wrong because CSRF lacks session manipulation.

62
Multi-Selectmedium

Which TWO of the following are examples of risk transfer? (Select TWO.)

Select 2 answers
A.Outsourcing IT operations to a third party
B.Implementing encryption
C.Accepting residual risk
D.Buying cyber insurance
E.Conducting security training
AnswersA, D

Outsourcing transfers the risk of IT operations to the vendor.

Why this answer

Options A and B are correct because outsourcing and insurance both shift financial or operational risk to another party.

63
MCQhard

A healthcare organization is migrating its electronic health records (EHR) system to a cloud provider. The risk assessment shows that the cloud provider has strong security certifications (e.g., SOC 2 Type II, ISO 27001). However, the organization's legal team is concerned about data sovereignty laws that require patient data to remain within the country. The cloud provider's data centers are located in three regions: one in-country, and two outside. The project manager proposes using only the in-country data center. The IT director warns that this will increase latency and reduce redundancy. The risk manager must propose a response. Which is the BEST option?

A.Accept the legal risk because the cloud provider's certifications are sufficient, and document the decision.
B.Use all three data centers with automatic failover, and rely on the cloud provider's contractual guarantees of data residency.
C.Configure the EHR system to store primary data in the in-country data center, and use the other two centers for disaster recovery with data residency controls ensuring data does not leave the country unless encrypted and with legal approval.
D.Use only the in-country data center and accept the increased availability risk.
AnswerC

This balances compliance, availability, and redundancy.

Why this answer

Option C is correct because it provides a balanced approach: use the in-country data center for primary storage to comply with data sovereignty, but use the other data centers for disaster recovery with data residency controls. Option A is wrong because using only one data center increases availability risk. Option B is wrong because direct cloud replication to outside centers violates data sovereignty.

Option D is wrong because accepting the legal risk is unacceptable given the regulatory environment.

64
Matchingmedium

Match each risk management term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Risk level before controls are applied

Risk level after controls are applied

Amount of risk the organization is willing to accept

Acceptable deviation from risk appetite

Why these pairings

These terms are fundamental to understanding risk management.

65
MCQeasy

Refer to the exhibit. Which of the following is the MOST critical risk that should be addressed first?

A.SSH protocol version 1.0 on 192.168.1.10
B.RDP with weak encryption on 192.168.1.20
C.SMB signing not required on 192.168.1.20
D.Apache HTTP Server 2.2.3 on 192.168.1.10
AnswerA

Critical vulnerability should be addressed first.

Why this answer

Option A is correct because SSH version 1.0 is a critical vulnerability and should be prioritized. Option B is wrong because Apache 2.2.3 is high but not as critical. Option C is wrong because RDP weak encryption is medium.

Option D is wrong because SMB signing is medium.

66
MCQeasy

An organization purchases cyber insurance to cover potential losses from data breaches. This is an example of:

A.Risk Avoidance
B.Risk Transfer
C.Risk Mitigation
D.Risk Acceptance
AnswerB

Insurance is a classic example of risk transfer.

Why this answer

Purchasing cyber insurance transfers the financial risk of a data breach to the insurer, making it a classic example of risk transfer. In risk management, transfer shifts the impact of a loss to a third party (e.g., an insurance carrier) without eliminating the underlying threat or vulnerability. This aligns with the CRISC domain of Risk Response and Mitigation, where transfer is a distinct response strategy.

Exam trap

The trap here is that candidates confuse risk transfer with risk mitigation, thinking insurance reduces the likelihood of a breach, when in fact it only shifts the financial consequences.

How to eliminate wrong answers

Option A is wrong because risk avoidance would mean eliminating the activity that causes the risk (e.g., not storing any sensitive data), not insuring against it. Option C is wrong because risk mitigation involves implementing controls (e.g., encryption, firewalls) to reduce the likelihood or impact of a breach, not transferring financial liability. Option D is wrong because risk acceptance means formally acknowledging the risk and bearing the potential loss without purchasing insurance or implementing additional controls.

67
MCQmedium

A risk assessment reveals that a legacy system has a high likelihood of failure. The system is critical and cannot be replaced immediately. The company decides to implement manual overrides and additional monitoring. This is an example of:

A.Risk Transfer
B.Risk Mitigation
C.Risk Acceptance
D.Risk Avoidance
AnswerB

Manual overrides and monitoring reduce the likelihood or impact of failure.

Why this answer

Option A is correct because implementing controls reduces the risk, which is mitigation.

68
MCQeasy

After a risk assessment, a company decides to stop using a third-party service that has high residual risk. This is an example of:

A.Risk Mitigation
B.Risk Avoidance
C.Risk Transfer
D.Risk Acceptance
AnswerB

Avoidance is the decision not to engage in the risk-prone activity.

Why this answer

Option C is correct because eliminating the use of the service removes the risk entirely, which is avoidance.

69
MCQhard

After implementing multiple controls, the residual risk for a new product launch is still slightly above the risk appetite. The risk manager decides to proceed with the launch and monitor the risks regularly. This is:

A.Risk Transfer
B.Risk Avoidance
C.Risk Acceptance
D.Risk Mitigation
AnswerC

Acceptance is appropriate when residual risk is still above appetite but the decision is made to tolerate it.

Why this answer

Option A is correct because the risk is accepted formally as it is within an acceptable range after controls.

70
Multi-Selectmedium

Which THREE of the following are key components of an effective risk response plan?

Select 3 answers
A.Documented risk response strategy (e.g., avoid, mitigate, transfer, accept)
B.Detailed implementation timeline
C.Assigned ownership and accountability
D.Regulatory impact analysis
E.Resource allocation and budget
AnswersA, C, E

The chosen strategy is a fundamental part of the plan.

Why this answer

Risk response plans must include documented strategy, assigned ownership, and resource allocation. Implementation timeline (A) and regulatory impact (D) are supporting details, not core components. Option E (Risk owner) is a role, not a component of the plan itself.

71
MCQhard

A risk assessment identifies that a legacy system has a high risk of failure with no available vendor support. The organization decides to decommission the system and migrate to a modern platform. This is:

A.Risk Avoidance
B.Risk Transfer
C.Risk Mitigation
D.Risk Acceptance
AnswerA

Avoidance is the decision to stop the risky activity.

Why this answer

Option D is correct because decommissioning the system eliminates the risk entirely, which is avoidance.

Ready to test yourself?

Try a timed practice session using only Risk Response and Mitigation questions.