CCNA Crisc It Security Questions

30 of 105 questions · Page 2/2 · Crisc It Security topic · Answers revealed

76
Multi-Selectmedium

A risk manager is integrating the NIST Cybersecurity Framework with the organization's risk management processes. Which TWO functions of the NIST CSF directly support risk assessment?

Select 2 answers
A.Detect
B.Identify
C.Recover
D.Protect
E.Respond
AnswersB, D

Identify includes risk assessment, asset management, and governance.

Why this answer

The Identify function covers risk assessment and management, and the Protect function involves safeguards that are assessed for effectiveness.

77
MCQeasy

Which COBIT 2019 domain objective focuses on ensuring that risk is optimized through evaluation, direction, and monitoring?

A.EDM01 — Ensure Governance Framework Setting and Maintenance
B.EDM02 — Ensure Benefits Delivery
C.EDM04 — Ensure Resource Optimization
D.EDM03 — Ensure Risk Optimization
AnswerD

This is the correct objective for risk optimization.

Why this answer

EDM03 — Ensure Risk Optimization is the governance objective that addresses risk management evaluation, direction, and monitoring.

78
MCQhard

A risk manager is evaluating the risk of quantum computing for the organization's encryption. The organization uses RSA-2048 for data encryption. What is the PRIMARY consideration in planning for post-quantum cryptography migration?

A.The timeline for quantum computers to break RSA-2048
B.The cost of new encryption algorithms
C.The availability of quantum-resistant hardware
D.The performance impact of post-quantum algorithms
AnswerA

Understanding when quantum computers will be capable of breaking current cryptography is essential for planning migration.

Why this answer

Quantum computers capable of breaking RSA-2048 are not expected within the next few years, so the primary consideration is the timeline for quantum advantage to prioritize migration efforts.

79
Multi-Selecthard

A manufacturing company is evaluating the risks of connecting its OT network to the IT network. Which THREE risks are MOST significant due to IT/OT convergence?

Select 3 answers
A.Expansion of attack paths from IT to OT systems
B.Legacy OT devices lacking modern security controls
C.Compliance with GDPR
D.Potential for physical damage and safety incidents
E.Increased data storage costs
AnswersA, B, D

The connection creates new vectors for attackers to reach OT.

Why this answer

Convergence increases attack paths, legacy OT devices lack security, and attacks can have physical safety consequences.

80
MCQmedium

According to the NIST Cybersecurity Framework, which function involves developing and implementing appropriate safeguards to ensure delivery of critical infrastructure services?

A.Identify
B.Protect
C.Respond
D.Detect
AnswerB

Correct. Protect focuses on safeguards.

Why this answer

The Protect function (PR) is defined as developing and implementing appropriate safeguards to ensure delivery of critical infrastructure services.

81
MCQeasy

In the context of IT governance, which COBIT 2019 process is specifically focused on ensuring risk optimization?

A.EDM01 — Ensure Governance Framework Setting and Maintenance
B.EDM04 — Ensure Resource Optimization
C.EDM02 — Ensure Benefits Delivery
D.EDM03 — Ensure Risk Optimization
AnswerD

EDM03 is the correct process for risk optimization.

Why this answer

EDM03 (Ensure Risk Optimization) is the COBIT 2019 process that evaluates, directs, and monitors risk management to optimize risk exposure.

82
Multi-Selecthard

A global company is moving its critical applications to a public cloud. Which THREE of the following are key risk considerations in the shared responsibility model?

Select 3 answers
A.Physical security of data centers
B.Identity and access management
C.Compliance with regulatory requirements for data handling
D.Data encryption and key management
E.Network firewall configuration
AnswersB, C, D

Customers manage user identities and access controls.

Why this answer

Data security, identity management, and compliance are typically customer responsibilities, while physical security is the provider's. Misunderstanding these can lead to gaps.

83
Multi-Selectmedium

A risk manager is evaluating the application of IEC 62443 for industrial control systems. Which THREE of the following are key security requirements addressed by this standard?

Select 3 answers
A.Environmental monitoring (temperature, humidity)
B.Identification and authentication control
C.System integrity
D.Physical security of data centers
E.Use control (authorization)
AnswersB, C, E

Ensures only authorized users and devices access the system.

Why this answer

IEC 62443 is a series of standards specifically designed for the security of Industrial Automation and Control Systems (IACS). It addresses cybersecurity requirements to protect these systems from cyber threats. Identification and authentication control (B) is a foundational requirement, ensuring that only authorized users and devices can access the system, which is critical for preventing unauthorized access to industrial processes.

Exam trap

The trap here is that candidates may confuse general operational or physical security measures (like environmental monitoring or data center security) with the specific cybersecurity controls mandated by IEC 62443 for industrial control systems.

84
MCQmedium

An organization is developing a new cloud-based application that will process personal data of EU citizens. The risk manager is assessing the shared responsibility model with the cloud service provider (CSP). Which of the following is the MOST critical risk to address in the risk assessment?

A.Lack of encryption at rest
B.Vendor lock-in due to proprietary APIs
C.Data sovereignty and cross-border data transfer restrictions
D.Multi-tenancy isolation failures
AnswerC

Data sovereignty is critical for compliance with GDPR and other privacy regulations, as data may be stored in jurisdictions with inadequate protection.

Why this answer

In the shared responsibility model, the customer is responsible for data classification and access controls. Data sovereignty is a key concern when processing EU personal data, as the CSP may store data in jurisdictions that do not provide equivalent protection. The risk manager must ensure contractual and technical measures align with GDPR requirements.

85
Multi-Selectmedium

A risk manager is evaluating the risks associated with using a public cloud provider. Which TWO of the following are key considerations for multi-tenancy isolation? (Select TWO.)

Select 2 answers
A.Risk of unclear shared responsibility
B.Risk of vendor lock-in
C.Risk of misconfigured cloud storage exposing another tenant's data
D.Risk of data sovereignty violations
E.Risk of hypervisor escape attacks
AnswersC, E

Misconfiguration can lead to cross-tenant exposure.

Why this answer

Multi-tenancy isolation concerns include the risk of hypervisor vulnerabilities allowing tenants to access each other's data (A) and the risk of misconfiguration leading to data exposure (B). Vendor lock-in (C) is not about isolation; data sovereignty (D) is about geographic location; shared responsibility (E) is about roles.

86
Multi-Selecthard

An organization is planning for post-quantum cryptography migration. Which THREE of the following are key considerations for this migration?

Select 3 answers
A.Inventory of all cryptographic assets and dependencies
B.Replacing all existing hardware immediately
C.Crypto agility to easily replace algorithms
D.Timeline estimates for when quantum computers can break current cryptography
E.Eliminating cloud services to reduce risk
AnswersA, C, D

Knowing where cryptography is used is essential.

Why this answer

Option A is correct because a comprehensive inventory of cryptographic assets and dependencies is essential to identify all systems, applications, and data that rely on current cryptographic algorithms (e.g., RSA, ECDSA, Diffie-Hellman). Without this inventory, the organization cannot prioritize migration efforts, assess impact, or ensure that no legacy cryptographic dependency is overlooked during the transition to post-quantum algorithms.

Exam trap

The trap here is that candidates may confuse 'crypto agility' (Option C) with 'immediate hardware replacement' (Option B), or assume that cloud services must be eliminated (Option E) rather than recognizing that inventory, agility, and timeline are the three core strategic considerations for a phased, risk-based migration.

87
Multi-Selectmedium

A risk manager is designing an IT risk management programme. Which THREE of the following are essential components of a risk management policy?

Select 3 answers
A.Risk assessment methodology
B.Specific risk treatment plans
C.Risk appetite statement
D.Detailed risk register
E.Roles and responsibilities for risk management
AnswersA, C, E

Methodology defines how risks are assessed.

Why this answer

A risk assessment methodology is an essential component of a risk management policy because it defines the standardized approach for identifying, analyzing, and evaluating IT risks. Without a prescribed methodology, risk assessments would be inconsistent, making it impossible to compare risks across the organization or to align them with the risk appetite. The policy must mandate a repeatable process, such as NIST SP 800-30 or ISO 31010, to ensure objectivity and defensibility in risk decisions.

Exam trap

The trap here is that candidates confuse operational artifacts (risk treatment plans and risk registers) with policy-level components, failing to recognize that the policy sets the framework and mandates, not the specific details of each risk response.

88
MCQeasy

Which of the following is a primary concern when using AI/ML models for decisions subject to regulatory oversight?

A.Adversarial attacks
B.Model bias
C.Explainability of model decisions
D.Data privacy in training
AnswerC

Regulations like GDPR require explanation of automated decisions.

Why this answer

Regulated decisions often require explainability to ensure compliance and auditability, which can be challenging with complex AI/ML models.

89
MCQmedium

During the solution architecture review, the Architecture Review Board (ARB) identifies a security risk in a proposed cloud migration project. The solution relies on a single cloud region with no disaster recovery plan. Which of the following is the BEST recommendation to mitigate this risk?

A.Deploy the application across multiple cloud regions with automated failover
B.Purchase cyber insurance to cover financial losses
C.Implement encryption at rest and in transit
D.Conduct a business impact analysis (BIA)
AnswerA

Multi-region deployment reduces the risk of a single point of failure and ensures business continuity.

Why this answer

The risk of a single region failure can be mitigated by implementing a multi-region deployment with failover. This aligns with high availability and disaster recovery best practices.

90
MCQeasy

Which COBIT 2019 governance objective focuses on ensuring that the enterprise's risk appetite and tolerance are understood, articulated, and communicated, and that risk is managed appropriately?

A.EDM04 — Ensure Resource Optimization
B.EDM03 — Ensure Risk Optimization
C.EDM02 — Ensure Benefits Delivery
D.EDM01 — Ensure Governance Framework Setting and Maintenance
AnswerB

Correct as described.

Why this answer

EDM03 — Ensure Risk Optimization is the COBIT 2019 governance objective specifically designed to ensure that the enterprise's risk appetite and risk tolerance are defined, communicated, and understood, and that risk is managed within those boundaries. It focuses on aligning risk management with enterprise objectives and ensuring that residual risk is acceptable.

Exam trap

The trap here is that candidates often confuse 'risk optimization' (EDM03) with 'resource optimization' (EDM04) because both terms include 'optimization,' but EDM03 is the only one that explicitly addresses risk appetite, tolerance, and management.

How to eliminate wrong answers

Option A is wrong because EDM04 — Ensure Resource Optimization focuses on managing IT resources (applications, information, infrastructure, people) efficiently and effectively, not on risk appetite or tolerance. Option C is wrong because EDM02 — Ensure Benefits Delivery is concerned with optimizing value from IT-enabled investments and services, not with risk management. Option D is wrong because EDM01 — Ensure Governance Framework Setting and Maintenance deals with establishing and maintaining the governance framework (structures, principles, processes), not directly with risk appetite articulation or risk management.

91
MCQeasy

When assessing cloud computing risk, which of the following is a key concern related to data sovereignty?

A.Shared responsibility model misunderstandings
B.Data may be stored in jurisdictions with different privacy laws
C.Multi-tenancy isolation gaps
D.Vendor lock-in due to proprietary APIs
AnswerB

This is the core of data sovereignty risk.

Why this answer

Data sovereignty refers to legal requirements that data be stored and processed within certain geographic boundaries. Cloud providers may store data in multiple jurisdictions, leading to compliance risks if data crosses borders without authorization.

92
MCQeasy

Which of the following is a characteristic of IoT devices that increases cybersecurity risk?

A.Built-in hardware security modules
B.Limited processing power for security features
C.Standardized communication protocols
D.Regular automatic firmware updates
AnswerB

Limited resources hinder implementation of robust security.

Why this answer

IoT devices often have limited processing power and cannot run standard security software, making them vulnerable to attacks.

93
MCQeasy

Which of the following is the PRIMARY purpose of a risk register in an IT risk management program?

A.To document and track identified risks and their treatment plans
B.To provide a historical record of past incidents
C.To calculate key risk indicators (KRIs)
D.To ensure compliance with regulatory requirements
AnswerA

The risk register is used to document, assess, and monitor risks and responses.

Why this answer

The risk register is the central repository for documenting identified risks, their assessed impact and likelihood, and the corresponding treatment plans (e.g., mitigate, accept, transfer, avoid). Its primary purpose is to provide a structured, living record that enables ongoing tracking, prioritization, and management of risk treatment activities throughout the IT risk management lifecycle.

Exam trap

The trap here is that candidates confuse the risk register's primary purpose with secondary benefits like compliance or metrics, leading them to choose options that describe outputs or uses of the register rather than its core function of documenting and tracking risks and treatments.

How to eliminate wrong answers

Option B is wrong because a risk register is forward-looking and focused on current and future risks, not a historical log of past incidents (that would be an incident log or post-mortem database). Option C is wrong because key risk indicators (KRIs) are metrics derived from risk data to provide early warning signals, but the risk register itself does not calculate them; it stores the underlying risk data that may feed KRI calculations. Option D is wrong while compliance may be a benefit of using a risk register, its primary purpose is risk management and treatment tracking, not specifically ensuring regulatory compliance (which is the role of compliance frameworks and audit programs).

94
MCQmedium

A manufacturing company is integrating its operational technology (OT) network with the corporate IT network to enable real-time data analytics. Which of the following risks should be prioritized during the risk assessment?

A.Attack path expansion from IT to OT networks
B.Incompatibility of IT and OT software versions
C.Increased latency in OT communications
D.Loss of data integrity in analytics dashboards
AnswerA

Attack path expansion is the most critical risk, as it enables cyber attacks to reach OT systems with potential safety implications.

Why this answer

Integrating OT and IT networks creates a new attack path from the IT network to the OT network. Since OT systems often lack modern security controls and run legacy protocols (e.g., Modbus, DNP3), an attacker who compromises the IT network can pivot into the OT environment, potentially disrupting physical processes. This risk is prioritized because it introduces a direct, high-impact threat to safety and availability that did not exist before the integration.

Exam trap

The trap here is that candidates often focus on operational risks like latency or compatibility (options B and C) because they seem more immediate to the integration, but CRISC prioritizes security risks that introduce new attack vectors with potential for physical damage.

How to eliminate wrong answers

Option B is wrong because software version incompatibility is a compatibility or integration issue, not a security risk that would be prioritized in a risk assessment focused on security; it is typically addressed during project planning or testing. Option C is wrong because increased latency in OT communications is a performance or operational risk, not a security risk; while important, it does not represent the primary threat introduced by network integration. Option D is wrong because loss of data integrity in analytics dashboards is a consequence of a security incident (e.g., tampering) but not the root risk; the prioritized risk is the attack path that enables such tampering.

95
MCQmedium

A hospital is deploying IoT medical devices that connect to the network. Which risk is MOST concerning from a cybersecurity perspective?

A.Expanded attack surface due to many devices
B.Data sovereignty compliance
C.Firmware update challenges
D.Vendor lock-in
AnswerA

Each device adds an entry point, increasing the risk of compromise.

Why this answer

IoT devices expand the attack surface, and many medical devices have weak security, making them easy targets for attackers to gain network access.

96
MCQeasy

A risk manager is designing an IT risk management programme. Which document should be created FIRST to guide the overall approach to risk management?

A.Risk treatment plan
B.Risk register
C.Risk management policy
D.Risk assessment methodology
AnswerC

The policy sets the direction and framework for risk management.

Why this answer

A risk management policy establishes the principles, objectives, and responsibilities for risk management, providing a foundation for all other risk management activities.

97
Multi-Selecthard

An organization is implementing IEC 62443 for its industrial control systems. Which THREE of the following are key requirements of IEC 62443? (Select three.)

Select 3 answers
A.Applying security levels (SL) to each zone based on risk
B.Ensuring all industrial components have a secure development lifecycle (SDL)
C.Using proprietary protocols to enhance performance
D.Conducting a risk assessment to identify security zones and conduits
E.Implementing a single-vendor solution to reduce complexity
AnswersA, B, D

Security levels define the required robustness of controls per zone.

Why this answer

IEC 62443 is a comprehensive standard covering security management, system design, and component requirements. It requires risk assessment, defense-in-depth (zones and conduits), and secure development lifecycle.

98
MCQmedium

An organization is evaluating cyber insurance options. Which of the following factors is MOST likely to influence the insurance premium?

A.The organization's annual revenue
B.The number of employees in the IT department
C.The organization's cybersecurity maturity and incident history
D.The organization's credit rating
AnswerC

Insurers assess the organization's security controls and past incidents to determine risk.

Why this answer

Insurance premiums are heavily influenced by the organization's risk profile, including its security posture. A strong security posture reduces perceived risk and thus premiums.

99
MCQhard

A risk manager is assessing the potential impact of quantum computing on the organization's cryptographic infrastructure. What is the MOST immediate action the organization should take?

A.Purchase quantum-resistant hardware security modules
B.Conduct a cryptographic inventory to identify vulnerable systems
C.Immediately replace all encryption with post-quantum algorithms
D.Discontinue use of public key cryptography
AnswerB

Knowing the current state is essential for planning.

Why this answer

The first step is to inventory all cryptographic systems to understand where quantum-vulnerable algorithms are used, enabling a migration plan.

100
Multi-Selecthard

A risk manager is assessing IT/OT convergence risks at a manufacturing plant. Which TWO of the following are primary risks introduced by connecting industrial control systems to the corporate network?

Select 2 answers
A.Attack path expansion from IT to OT
B.Reduced operational efficiency
C.Increased data storage costs
D.Legacy system vulnerabilities exposed
E.Simplified remote access
AnswersA, D

Network connectivity creates new vectors for attackers.

Why this answer

Attack path expansion allows attackers to move from IT to OT. Legacy systems often have weak security. Both are primary risks.

101
MCQmedium

An organization's architecture review board (ARB) is evaluating a new solution architecture. What is the PRIMARY risk management role of the ARB in this context?

A.Identifying and mitigating security risks in the architecture
B.Selecting the technology vendor for the solution
C.Ensuring the solution aligns with the enterprise IT strategy
D.Approving the project budget and timeline
AnswerA

The ARB reviews for security risks and ensures they are addressed.

Why this answer

The ARB reviews solution architectures to identify and address security risks before implementation, ensuring alignment with the organization's risk appetite.

102
Multi-Selecteasy

An organization is considering adopting the NIST Cybersecurity Framework to manage cybersecurity risk. Which of the following are core functions of the framework? (Choose TWO.)

Select 2 answers
A.Prevent
B.Mitigate
C.Protect
D.Analyze
E.Identify
AnswersC, E

Protect includes safeguards to limit impact.

Why this answer

The NIST CSF core functions include Identify, Protect, Detect, Respond, and Recover. Identify and Protect are two of them.

103
MCQhard

A risk manager is using the FAIR model to quantify cyber risk. After analyzing a ransomware scenario, the probable loss event frequency (LEF) is estimated at 0.2 per year, and the probable loss magnitude (LM) is $5 million. What is the annualized loss expectancy (ALE) in this scenario?

A.$500,000
B.$250,000
C.$5,000,000
D.$1,000,000
AnswerD

Correct calculation: 0.2 * 5,000,000 = 1,000,000.

Why this answer

ALE = LEF * LM = 0.2 * $5,000,000 = $1,000,000.

104
Multi-Selectmedium

An OT environment is being assessed for compliance with IEC 62443. Which TWO of the following are key security requirements of this standard?

Select 2 answers
A.Segmentation of networks into zones and conduits
B.Mandatory cloud-based backup for all control systems
C.Annual penetration testing by an external firm
D.Use of AES-256 encryption for all communications
E.Implementation of security levels (SL) for control systems
AnswersA, E

Defense-in-depth zones and conduits are core concepts.

Why this answer

IEC 62443 requires segmentation of OT networks into zones and conduits to isolate critical control systems from less trusted networks and control communication flows. This is a foundational security requirement because it limits the blast radius of a cyber incident and enforces access controls between different security levels.

Exam trap

The trap here is that candidates often confuse 'security levels' (SL) with 'security requirements'—SL is a target classification (SL 1-4), not a requirement itself, while zone/conduit segmentation is a direct architectural requirement of the standard.

105
MCQmedium

A risk manager is using the FAIR model to quantify cyber risk. Which of the following inputs is MOST directly used to calculate probable financial loss?

A.Annualized loss expectancy (ALE)
B.Loss event frequency and loss magnitude
C.Vulnerability severity scores (CVSS)
D.Number of security incidents per year
AnswerB

These are the primary inputs to calculate probable financial loss.

Why this answer

FAIR calculates loss magnitude using loss event frequency and loss magnitude (monetary impact). The probable financial loss is derived from these factors.

← PreviousPage 2 of 2 · 105 questions total

Ready to test yourself?

Try a timed practice session using only Crisc It Security questions.