CCNA Crisc Risk Response Questions

75 of 160 questions · Page 1/3 · Crisc Risk Response topic · Answers revealed

1
MCQmedium

A quarterly risk report for the IT steering committee shows a key risk indicator (KRI) called 'patch lag' has increased from 15 days to 45 days. What does this trend most likely indicate?

A.No change in risk level
B.Improved security posture
C.Increased vulnerability risk
D.Decreased vulnerability risk
AnswerC

Correct. Higher patch lag means systems are exposed longer.

Why this answer

The patch lag KRI measures the time between a patch's release and its deployment. An increase from 15 to 45 days means systems are exposed to known vulnerabilities for a longer period, directly increasing the window of opportunity for exploitation. This trend indicates a worsening security posture and higher vulnerability risk.

Exam trap

The trap here is that candidates may confuse a KRI trend with a risk level itself, thinking a change in the indicator does not necessarily mean a change in risk, but in CRISC, a worsening KRI like patch lag directly signals increased vulnerability risk.

How to eliminate wrong answers

Option A is wrong because a significant increase in patch lag from 15 to 45 days represents a clear change in risk level, not no change. Option B is wrong because an increased patch lag means patches are applied more slowly, which degrades rather than improves the security posture. Option D is wrong because a longer delay in applying patches increases the attack surface and vulnerability risk, rather than decreasing it.

2
MCQhard

An organization is planning to implement a new security control. The project manager must ensure changes to existing systems are properly managed. Which process is most critical to include in the implementation plan?

A.User training
B.Change management
C.Vulnerability scanning
D.Access review
AnswerB

Change management is critical to control the implementation and avoid negative impacts.

Why this answer

Change management ensures that changes to systems are controlled, tested, and approved to prevent unintended disruptions or security gaps. It is essential during control implementation.

3
MCQmedium

During a cost-benefit analysis for a new control, the annualized loss expectancy (ALE) without the control is $500,000. The control is expected to reduce risk by 80% and will cost $150,000 annually to operate. What is the net benefit of implementing the control?

A.$400,000
B.$100,000
C.$350,000
D.$250,000
AnswerD

Net benefit = $400,000 - $150,000 = $250,000.

Why this answer

ALE reduction is 80% of $500,000 = $400,000. Net benefit = ALE reduction - annual control cost = $400,000 - $150,000 = $250,000.

4
MCQeasy

Which of the following is the most appropriate frequency for operational IT risk reporting to IT management?

A.Annually
B.Quarterly
C.Weekly or monthly
D.Semi-annually
AnswerC

Operational risk reporting is frequent to support timely decisions.

Why this answer

Operational risk reporting is typically provided on a weekly or monthly basis to IT management to support day-to-day decision-making.

5
MCQmedium

In third-party risk management, which of the following is MOST indicative of a vendor's control effectiveness for a critical vendor?

A.SOC 2 Type II report
B.Contractual security requirements
C.Vendor's self-assessment questionnaire
D.Vendor's marketing materials
AnswerA

This is an independent audit that tests controls over time, providing strong evidence.

Why this answer

A SOC 2 Type II report is the most indicative of a vendor's control effectiveness because it provides an independent auditor's opinion on the design and operating effectiveness of controls over a specified period (typically 6–12 months). For a critical vendor, this third-party attestation offers objective evidence that security and privacy controls are actually working, not just promised.

Exam trap

The trap here is that candidates often confuse contractual requirements or self-assessments as sufficient evidence of control effectiveness, but the exam tests that only an independent, audited report like SOC 2 Type II provides the objective assurance needed for critical vendors.

How to eliminate wrong answers

Option B is wrong because contractual security requirements are only promises and obligations, not evidence that controls are actually implemented or effective; they lack independent verification. Option C is wrong because a vendor's self-assessment questionnaire is subjective, unaudited, and prone to bias or incomplete responses, providing no assurance of actual control operation. Option D is wrong because marketing materials are promotional content designed to sell services, not factual evidence of control effectiveness, and they contain no technical or operational details.

6
MCQeasy

An organization is implementing a new access control system. Which of the following should be included in the control implementation plan?

A.Annual cost of the control only
B.Key Risk Indicators (KRIs) for the control
C.Project milestones, training schedule, and documentation updates
D.Risk assessment results
AnswerC

These are essential components of an implementation plan.

Why this answer

A control implementation plan should cover all aspects of deployment, including project management, change management, user training, and documentation updates.

7
MCQmedium

In third-party risk management, which of the following is typically used for initial onboarding assessment of a vendor?

A.Contract compliance review
B.Security questionnaire
C.SOC 2 Type II report
D.Shared intelligence platform feed
AnswerB

A security questionnaire is a standard initial assessment tool.

Why this answer

Security questionnaires are commonly used during initial vendor assessment to gather information about the vendor's security posture.

8
MCQmedium

An IT risk manager is preparing a report for the board of directors. Which of the following content elements is most important for strategic risk reporting?

A.Weekly vulnerability scan results
B.IT risk integration with enterprise risk management
C.List of all vendor risk assessments
D.Detailed control performance metrics
AnswerB

The board needs to understand how IT risk fits into the overall enterprise risk profile.

Why this answer

Strategic risk reporting to the board requires a high-level view that aligns IT risk with enterprise objectives. Option B is correct because it demonstrates how IT risk is integrated into the broader enterprise risk management (ERM) framework, enabling the board to understand the business impact of IT risks. This integration is essential for strategic decision-making, as it connects technical risk data to organizational goals and risk appetite.

Exam trap

The trap here is that candidates often confuse operational reporting (e.g., vulnerability scans, control metrics) with strategic reporting, failing to recognize that the board requires a consolidated, business-aligned view of risk rather than detailed technical data.

How to eliminate wrong answers

Option A is wrong because weekly vulnerability scan results are operational, tactical data that is too granular and frequent for board-level strategic reporting; the board needs aggregated risk trends, not raw scan outputs. Option C is wrong because listing all vendor risk assessments is an operational detail that does not convey strategic risk posture or business impact; the board requires a summary of key vendor risks and their effect on enterprise objectives. Option D is wrong because detailed control performance metrics, such as specific control failure rates, are more appropriate for management and audit reporting, not for the board's strategic view, which focuses on risk exposure and mitigation effectiveness at a macro level.

9
MCQhard

An organization's IT risk team is promoting a risk-aware culture. Which initiative is most likely to encourage employees to report security incidents without fear?

A.Establishing a no-blame incident reporting policy
B.Publishing quarterly incident statistics
C.Increasing the frequency of security awareness training
D.Implementing automated incident detection
AnswerA

A no-blame policy fosters a culture of reporting.

Why this answer

A no-blame incident reporting policy directly addresses the psychological barrier of fear of reprisal, which is the primary reason employees hesitate to report security incidents. By explicitly stating that reporters will not face disciplinary action for unintentional errors or omissions, the organization fosters psychological safety and encourages timely reporting, which is critical for effective risk response.

Exam trap

The trap here is that candidates may confuse 'increasing awareness training' (Option C) with addressing fear, when in fact training alone does not remove the organizational culture of blame that discourages reporting.

How to eliminate wrong answers

Option B is wrong because publishing quarterly incident statistics provides transparency and awareness but does not address the fear of personal consequences that prevents employees from reporting incidents. Option C is wrong because increasing the frequency of security awareness training improves knowledge and vigilance but does not remove the fear of blame or punishment for reporting an incident. Option D is wrong because implementing automated incident detection improves technical detection capabilities but does not influence human behavior or the cultural willingness to report incidents voluntarily.

10
MCQmedium

A company is implementing a new access control system. According to the project plan, user training will be delivered after the system goes live. What change management issue does this present?

A.Training after go-live ensures the system is fully operational
B.Training after go-live is more effective because users have context
C.Training after go-live reduces the project budget
D.Training after go-live may lead to user errors and security incidents
AnswerD

Without prior training, users may misuse the system, increasing risk.

Why this answer

Training should ideally be delivered before go-live to ensure users can operate the system securely. Delaying training increases the risk of errors and security incidents.

11
Multi-Selectmedium

An organization is integrating its IT risk program with the enterprise risk management (ERM) framework. Which THREE of the following activities support this integration?

Select 3 answers
A.Using consistent risk metrics and terminology across IT and enterprise levels
B.Aligning IT risk appetite with enterprise risk appetite
C.Reporting IT risk as a component of broader operational risk
D.Maintaining a separate IT risk register not shared with ERM
E.Reporting IT risks only to the CIO without board visibility
AnswersA, B, C

Consistency enables aggregation and comparison.

Why this answer

Using consistent risk metrics and terminology across IT and enterprise levels ensures that IT risks are communicated in a language that the broader ERM framework understands, enabling aggregation and comparison. This alignment prevents siloed risk assessments and supports a unified view of risk exposure across the organization, which is a foundational requirement for integrating IT risk into ERM.

Exam trap

The trap here is that candidates may think maintaining a separate IT risk register is acceptable for specialized IT risks, but CRISC emphasizes that integration requires sharing and aligning risk information across all levels, not isolating it.

12
Multi-Selectmedium

An organization is designing a vendor risk management program. Which TWO of the following are essential components of ongoing vendor monitoring? (Select TWO)

Select 2 answers
A.Review of contract terms
B.Penetration testing by the vendor
C.Initial onboarding security questionnaire
D.Continuous monitoring via shared threat intelligence platforms
E.Annual reassessment of vendor risk
AnswersD, E

Continuous monitoring using external intel is an ongoing practice.

Why this answer

Continuous monitoring via shared threat intelligence platforms (Option D) is essential because it provides real-time visibility into emerging threats and vulnerabilities that may affect the vendor's environment. This allows the organization to proactively adjust risk posture without waiting for periodic reviews, aligning with the CRISC principle of ongoing risk response.

Exam trap

The trap here is that candidates often mistake periodic activities like annual reassessment (Option E) as the only ongoing monitoring component, but CRISC emphasizes that continuous monitoring includes real-time threat intelligence, while annual reassessment is a scheduled review, not continuous.

13
MCQmedium

During a cost-benefit analysis for a proposed control, the annual loss expectancy (ALE) for a risk is currently $500,000. The control will cost $100,000 annually and is expected to reduce the ALE by 80%. What is the net benefit of implementing this control?

A.$100,000
B.$300,000
C.$400,000
D.$500,000
AnswerB

Reduction of $400,000 minus cost of $100,000 equals $300,000 net benefit.

Why this answer

The current annual loss expectancy (ALE) is $500,000. An 80% reduction lowers the ALE by $400,000, resulting in a new ALE of $100,000. The annual control cost is $100,000, so the net benefit is the reduction in ALE ($400,000) minus the control cost ($100,000), which equals $300,000.

Exam trap

Cisco often tests the distinction between gross reduction in ALE and net benefit, tricking candidates into forgetting to subtract the annual control cost from the ALE reduction.

How to eliminate wrong answers

Option A is wrong because $100,000 represents only the annual control cost, not the net benefit after accounting for the ALE reduction. Option C is wrong because $400,000 is the gross reduction in ALE (80% of $500,000) but fails to subtract the $100,000 control cost. Option D is wrong because $500,000 is the original ALE before any control is applied, ignoring both the reduction and the cost of the control.

14
MCQmedium

Which of the following is a leading indicator that the risk of a credential-based attack may be increasing?

A.Failed authentication spike
B.Increased number of successful logins
C.Low patch compliance
D.High mean time to resolve incidents
AnswerA

A sudden increase in failures is a common KRI for credential attacks.

Why this answer

A failed authentication spike is a leading indicator because it directly signals an increase in attempted unauthorized access, often from credential stuffing or brute-force attacks. Unlike lagging indicators that measure past incidents, this metric provides early warning that the risk of a credential-based attack is rising, allowing proactive controls like account lockout policies or CAPTCHA challenges to be implemented before a breach occurs.

Exam trap

The trap here is that candidates confuse leading indicators (which predict future risk) with lagging indicators (which measure past events), leading them to choose options like high mean time to resolve incidents or low patch compliance, which are not directly tied to credential-based attack risk.

How to eliminate wrong answers

Option B is wrong because an increased number of successful logins is not a leading indicator of credential-based attack risk; it could indicate legitimate user activity or a successful compromise, but it does not signal an impending attack. Option C is wrong because low patch compliance is a general security risk indicator, not specific to credential-based attacks; it relates to vulnerability management rather than authentication attempts. Option D is wrong because high mean time to resolve incidents is a lagging indicator of incident response effectiveness, not a leading indicator of attack risk; it measures post-incident performance, not pre-attack conditions.

15
Multi-Selecteasy

Which TWO of the following are examples of continuous monitoring techniques?

Select 2 answers
A.Ad-hoc access reviews requested by management.
B.Automated SIEM rules for intrusion detection.
C.Annual risk assessment.
D.Quarterly control testing by internal audit.
E.Vulnerability scanning performed weekly.
AnswersB, E

SIEM rules run continuously to detect threats.

Why this answer

Automated SIEM rules for intrusion detection (B) are a continuous monitoring technique because they operate in real-time, analyzing logs and events as they occur to detect and alert on security incidents without manual intervention. This aligns with the CRISC principle of ongoing, automated oversight rather than periodic or ad-hoc reviews.

Exam trap

The trap here is that candidates confuse periodic activities (like quarterly testing or annual assessments) with continuous monitoring, failing to recognize that continuous monitoring requires automated, real-time or near-real-time data collection and analysis, not scheduled human-driven reviews.

16
MCQmedium

A Key Risk Indicator (KRI) that shows a rising trend in the average time to apply critical security patches suggests:

A.Decreasing risk of exploitation
B.Stable risk level
C.Increasing risk of exploitation
D.Improved control effectiveness
AnswerC

Longer patch times mean vulnerabilities remain unpatched longer, increasing risk.

Why this answer

Patch lag is a leading indicator that vulnerability risk is increasing because unpatched systems are more exposed to exploits.

17
MCQhard

A risk practitioner notices that the number of failed authentication attempts has spiked by 300% over the past week. Which of the following actions should be taken FIRST?

A.Report the spike to the board
C.Increase the frequency of password changes
D.Analyze the logs to identify the source and nature of the attempts
AnswerD

Investigation is the first step to determine if it's an attack or a system issue.

Why this answer

Option D is correct because the first step in responding to a security incident, such as a 300% spike in failed authentication attempts, is to analyze the logs to determine the source and nature of the activity. This aligns with the NIST incident response lifecycle (Preparation, Detection & Analysis, Containment, Eradication, Recovery) where analysis precedes any containment or reporting action. Without understanding whether the spike is due to a brute-force attack, a misconfigured application, or a credential-stuffing campaign, any subsequent action could be premature or ineffective.

Exam trap

The trap here is that candidates often jump to implementing a security control (like MFA or password changes) as a first response, but CRISC emphasizes that analysis and understanding of the risk must precede any response action.

How to eliminate wrong answers

Option A is wrong because reporting a spike to the board without first analyzing the logs is premature; the board requires actionable, analyzed information, not raw alerts. Option B is wrong because implementing multi-factor authentication (MFA) is a long-term control that should be designed and deployed after understanding the attack vector, not as an immediate response to a log spike. Option C is wrong because increasing the frequency of password changes does not address the root cause of failed authentication attempts (e.g., brute force or credential stuffing) and can actually weaken security by encouraging weak passwords; it is not a first-response action.

18
Multi-Selectmedium

Which THREE of the following are common elements of a periodic control effectiveness testing program? (Select THREE)

Select 3 answers
A.User training on new controls
B.Quarterly control testing by the risk function
C.Continuous monitoring via SIEM
D.Internal audit review of controls
E.Annual penetration testing
AnswersB, D, E

Quarterly testing is a common periodic activity.

Why this answer

Periodic testing includes internal audit reviews, quarterly testing by the risk function, and annual penetration tests. Continuous monitoring is not periodic, and user training is not a testing activity.

19
MCQhard

During a quarterly control effectiveness test, internal audit discovers that a key automated control failed 15% of the time due to a software bug. The risk owner decides to accept the risk because the cost to fix the bug is high. What should the risk manager do next?

A.Document the risk acceptance and rationale in the risk register
B.Implement a compensating control
C.Override the risk owner's decision
D.Report the issue to the board immediately
AnswerA

Proper documentation ensures accountability and auditability.

Why this answer

Option A is correct because the risk manager's primary responsibility is to formally document the risk acceptance decision, including the rationale provided by the risk owner, in the risk register. This ensures audit trail, transparency, and compliance with governance frameworks such as COBIT or ISO 31000. Since the risk owner has the authority to accept the risk, the risk manager must record it rather than challenge or escalate it without justification.

Exam trap

The trap here is that candidates confuse the risk manager's advisory role with an enforcement role, leading them to choose 'override the risk owner' or 'implement a compensating control' instead of recognizing that documentation is the correct procedural step after a risk acceptance decision.

How to eliminate wrong answers

Option B is wrong because implementing a compensating control would be a risk mitigation action, not a response to a risk acceptance decision; the risk owner has already chosen to accept the risk, so adding controls contradicts that decision unless the risk manager renegotiates. Option C is wrong because the risk manager does not have the authority to override the risk owner's decision; the risk owner is accountable for the risk, and the risk manager's role is advisory and documentation-focused. Option D is wrong because immediate board reporting is not required for a single accepted risk with a documented rationale; escalation to the board is reserved for risks exceeding the organization's risk appetite or for material changes in risk profile, not routine acceptance decisions.

20
MCQmedium

In IT risk reporting, which level of management typically receives operational risk reporting on a weekly or monthly basis?

A.External auditors
B.Board of directors
C.IT management
D.CISO/CIO
AnswerC

Operational reports are designed for IT managers.

Why this answer

Operational risk reporting is detailed and frequent, intended for IT management who oversee day-to-day operations.

21
MCQeasy

An IT risk report to the board of directors should primarily focus on which of the following?

A.Strategic risks and risk trends affecting the organization
B.Specific control test results for each system
C.Vendor risk assessment scores for all third parties
D.Detailed weekly operational incidents
AnswerA

The board needs a strategic overview of risks and trends.

Why this answer

The board of directors requires a high-level view of IT risk that aligns with business strategy and enterprise risk management. Strategic risks and risk trends provide the necessary context for informed decision-making, focusing on the aggregate impact of risk on organizational objectives rather than operational minutiae.

Exam trap

Cisco often tests the distinction between operational reporting (tactical, detailed) and strategic reporting (aggregated, trend-based), and the trap here is that candidates mistake granular data (like control test results or incident logs) as more 'thorough' or 'accurate' for the board, when in fact the board needs summarized, risk-based insights.

How to eliminate wrong answers

Option B is wrong because specific control test results for each system are too granular for the board; they are more appropriate for operational management and internal audit reporting. Option C is wrong because vendor risk assessment scores for all third parties are tactical details that should be summarized into aggregate risk exposure or trends for board-level reporting. Option D is wrong because detailed weekly operational incidents are operational metrics, not strategic risk information, and would overwhelm the board with noise rather than actionable insight.

22
MCQeasy

Which of the following is a leading indicator that the risk of a credential-based attack may be increasing?

A.Failed authentication spike
B.Number of accounts created
C.Password reset frequency
D.Number of successful logins
AnswerA

Correct: failed authentication spike signals potential attack.

Why this answer

A spike in failed authentications can indicate an attempted credential attack, serving as a leading KRI.

23
MCQmedium

A company is assessing a new vendor that will have access to its customer database. The vendor's security questionnaire reveals they lack SOC 2 certification. According to risk tiering, the vendor is classified as critical. What should the company do?

A.Accept the vendor because the questionnaire indicates other strong controls.
B.Require the vendor to obtain SOC 2 Type II certification before contract signing.
C.Proceed with the contract but increase monitoring frequency.
D.Lower the vendor's tier to medium to avoid the requirement.
AnswerB

For critical vendors, SOC 2 Type II is typically mandatory; the vendor must comply or be rejected.

Why this answer

A critical-tier vendor with access to sensitive customer data requires independent assurance of security controls. SOC 2 Type II certification provides a rigorous, audited assessment of controls over a period of time, which is essential for a high-risk vendor. Requiring this certification before contract signing ensures the vendor meets the necessary security baseline before any data is exposed.

Exam trap

The trap here is that candidates may underestimate the importance of independent audit evidence for critical vendors and mistakenly choose increased monitoring (Option C) as a sufficient compensating control, when in fact it does not address the root need for verified, preventive controls before data access is granted.

How to eliminate wrong answers

Option A is wrong because accepting a critical-tier vendor based solely on a self-reported questionnaire, even with strong controls, lacks independent verification and audit rigor, which is a key requirement for high-risk data access. Option C is wrong because proceeding with the contract and increasing monitoring frequency does not address the lack of foundational, audited controls; monitoring is a detective control, not a preventive one, and is insufficient for a critical vendor. Option D is wrong because lowering the vendor's tier to avoid a requirement is a form of risk avoidance that circumvents proper risk management and policy, and it does not actually reduce the inherent risk of the vendor's access to sensitive data.

24
MCQeasy

Which type of control testing is typically performed on a continuous basis using automated tools?

A.Annual penetration test
B.Manual control walkthrough
C.Quarterly internal audit review
D.Continuous monitoring
AnswerD

Continuous monitoring is automated and ongoing.

Why this answer

Continuous monitoring uses automated tools like SIEM rules, log monitoring, and vulnerability scanning to provide ongoing assurance over control effectiveness.

25
Multi-Selecthard

A risk manager is updating the risk report for the IT steering committee. Which THREE elements should be included to provide a comprehensive view of the risk posture?

Select 3 answers
A.Names of all IT employees
B.Risk trend analysis
C.Risk heat map
D.Detailed configuration of each firewall
E.Top risks and their status
AnswersB, C, E

Trends show whether risk is increasing or decreasing.

Why this answer

Risk trend analysis is essential for a comprehensive risk report because it shows how the organization's risk posture has changed over time, enabling the IT steering committee to identify emerging threats and assess the effectiveness of past risk responses. This aligns with CRISC's emphasis on continuous monitoring and reporting of risk indicators to support informed decision-making.

Exam trap

Cisco often tests the distinction between operational details (like firewall configs) and strategic risk reporting elements, trapping candidates who confuse granular technical data with the high-level summaries needed for governance-level decision-making.

26
MCQmedium

During a quarterly control effectiveness test, an internal auditor discovers that a key preventive control has a 10% exception rate. The control is designed to prevent unauthorized transactions. Which Key Control Indicator (KCI) is being measured?

A.Key Risk Indicator (KRI)
B.Test result pass rate
C.Control deficiency rate
D.Exception rate
AnswerD

Exception rate is a KCI that measures the frequency of control failures or deviations.

Why this answer

KCIs measure control performance. The exception rate is a KCI that indicates how often the control fails to operate as intended.

27
MCQeasy

Which of the following is an example of a corrective control?

A.Firewall blocking unauthorized traffic
B.Intrusion detection system alerting on suspicious activity
C.Log monitoring to identify unauthorized access
D.Restoring data from backup after a ransomware attack
AnswerD

Correct. This corrects the impact of the incident.

Why this answer

Corrective controls are designed to remediate or reverse the effects of an incident after it has occurred. Restoring data from backup after a ransomware attack directly addresses the damage by recovering lost or encrypted data, making it a classic corrective control. In contrast, preventive controls (like firewalls) block incidents before they happen, and detective controls (like IDS alerts or log monitoring) identify incidents after they occur but do not fix the damage.

Exam trap

The trap here is confusing detective controls (which identify incidents) with corrective controls (which fix the damage), leading candidates to pick IDS alerts or log monitoring as corrective actions when they only provide visibility, not remediation.

How to eliminate wrong answers

Option A is wrong because a firewall blocking unauthorized traffic is a preventive control—it stops threats before they reach the network, not after an incident. Option B is wrong because an intrusion detection system (IDS) alerting on suspicious activity is a detective control—it identifies potential incidents but does not take action to correct them. Option C is wrong because log monitoring to identify unauthorized access is also a detective control—it detects breaches after they happen but does not restore or repair the affected systems or data.

28
MCQmedium

An organization has implemented a new control that requires manual approval for all high-value transactions. The control owner is responsible for ensuring approvals are obtained. Which control ownership aspect is demonstrated?

A.Control implementation plan
B.Cost-benefit analysis
C.Control ownership
D.Resource requirements
AnswerC

The control owner is accountable for the control's operation and effectiveness.

Why this answer

The scenario explicitly states that the control owner is responsible for ensuring approvals are obtained, which directly demonstrates the concept of control ownership. Control ownership refers to the assignment of accountability for the implementation, operation, and maintenance of a specific control, such as manual approval for high-value transactions. This is a core principle in risk response, where a named individual is accountable for the control's effectiveness, not just its implementation or cost.

Exam trap

The trap here is that candidates confuse 'control ownership' with 'control implementation' or 'resource allocation,' but the question specifically tests the distinction between accountability for ongoing operation versus planning or resourcing.

How to eliminate wrong answers

Option A is wrong because a control implementation plan is a project roadmap detailing steps, timelines, and resources to deploy a control, not the assignment of ongoing accountability for its operation. Option B is wrong because cost-benefit analysis is a financial evaluation used to justify a control's selection, not the demonstration of ownership or responsibility for its execution. Option D is wrong because resource requirements define the personnel, technology, or budget needed to operate a control, but they do not assign the specific accountability for ensuring approvals are obtained.

29
MCQmedium

Which of the following best describes the purpose of tactical risk reporting?

A.To satisfy regulatory compliance requirements
B.To inform the board of directors about strategic risk exposure
C.To provide daily operational metrics to system administrators
D.To enable the CISO to make informed decisions about risk mitigation priorities
AnswerD

Tactical reporting supports management decisions.

Why this answer

Tactical risk reporting is designed to provide mid-level management, such as the CISO, with actionable insights to prioritize risk mitigation activities. It focuses on operational risk decisions, not strategic oversight or daily metrics, enabling informed choices about resource allocation and remediation timelines.

Exam trap

The trap here is confusing the audience and time horizon of reporting levels—candidates often mistake tactical reporting for operational metrics (Option C) because both involve technical details, but tactical reporting is decision-focused for management, not daily task execution.

How to eliminate wrong answers

Option A is wrong because tactical risk reporting is not primarily for regulatory compliance; compliance reporting is a separate function that addresses specific legal or contractual requirements. Option B is wrong because informing the board about strategic risk exposure is the purpose of strategic risk reporting, which covers high-level, long-term risk posture. Option C is wrong because providing daily operational metrics to system administrators is the role of operational or technical reporting, not tactical reporting, which targets management decisions.

30
MCQmedium

An IT risk report for the board of directors should primarily focus on:

A.Specific control failures with root cause analysis
B.Detailed technical vulnerability scan results
C.Operational incident counts
D.Top risks, trends, and control performance metrics
AnswerD

These provide a strategic overview for the board.

Why this answer

Strategic risk reporting to the board should highlight top risks, trends, and high-level metrics in business terms, avoiding excessive technical detail.

31
Multi-Selectmedium

Which TWO of the following are examples of continuous monitoring activities? (Select TWO.)

Select 2 answers
A.Continuous vulnerability scanning
B.Annual penetration testing
C.Quarterly user access reviews
D.Automated SIEM rule-based alerts for suspicious activity
E.Monthly review of audit logs
AnswersA, D

Correct. Continuous scanning is ongoing.

Why this answer

Automated SIEM monitoring and continuous vulnerability scanning are continuous activities, while annual penetration testing and quarterly access reviews are periodic.

32
MCQmedium

A risk owner is reviewing a control that has a deficiency rate of 15%. The target deficiency rate is less than 5%. Which of the following is the MOST appropriate immediate action?

A.Investigate the root cause of the high deficiency rate
B.Increase the target deficiency rate to 15%
C.Report the deficiency to the external auditor
D.Accept the risk and document the decision
AnswerA

Root cause analysis is needed to identify why the control is failing.

Why this answer

A deficiency rate of 15% against a target of less than 5% indicates a control failure that requires immediate remediation. Investigating the root cause is the first step in the risk response process to identify why the control is failing and to determine the appropriate corrective action, aligning with the Risk Response and Reporting domain's emphasis on addressing control deficiencies before considering acceptance or reporting.

Exam trap

The trap here is that candidates may choose 'Accept the risk and document the decision' (Option D) because they confuse risk acceptance with a standard response to control deficiencies, but CRISC emphasizes that acceptance is only appropriate after a formal risk assessment and when remediation is not feasible or cost-justified.

How to eliminate wrong answers

Option B is wrong because increasing the target deficiency rate to 15% would lower the control standard without addressing the underlying failure, effectively ignoring the risk and violating the principle of maintaining control effectiveness. Option C is wrong because reporting the deficiency to the external auditor is premature; the immediate action should be internal investigation and remediation, not external disclosure, which occurs after analysis and as part of formal reporting cycles. Option D is wrong because accepting the risk without understanding the root cause or attempting remediation bypasses the risk treatment process; acceptance should be a deliberate decision after evaluating the impact and likelihood, not the first action upon discovering a high deficiency rate.

33
Multi-Selecthard

Which THREE of the following are essential components of an effective IT risk report to senior management? (Select THREE.)

Select 3 answers
A.Risk trend analysis over time
B.Risk heat map showing current risk levels
C.Names of all third-party vendors with contracts
D.List of top risks and their mitigation status
E.Detailed control deficiency descriptions
AnswersA, B, D

Correct. Shows changes in risk posture.

Why this answer

Risk trend analysis over time (Option A) is essential because it enables senior management to understand whether the organization's risk posture is improving or deteriorating, supporting strategic decision-making. Trend data, such as month-over-month changes in residual risk scores or frequency of high-severity incidents, provides context beyond a static snapshot. This aligns with the CRISC focus on continuous monitoring and reporting of risk response effectiveness.

Exam trap

The trap here is that candidates confuse operational detail (like vendor lists or control descriptions) with strategic reporting content, failing to recognize that senior management needs aggregated, decision-focused information rather than granular technical data.

34
MCQhard

An organization's risk committee reviews a risk heat map showing that a key IT risk has moved from the "high" to "medium" category. However, the associated control's effectiveness has decreased from 95% to 85%. What is the most likely explanation?

A.The control testing frequency was increased.
B.The inherent risk has decreased due to external factors.
C.The risk assessment methodology was changed.
D.The control owner has implemented additional compensating controls.
AnswerB

A decrease in inherent risk can lower overall risk even if control effectiveness drops.

Why this answer

The risk heat map shows a reduction in residual risk from high to medium, yet the control effectiveness dropped from 95% to 85%. This apparent contradiction is best explained by a decrease in inherent risk—the risk before controls are applied. If inherent risk falls (e.g., due to external factors like new regulations or reduced threat activity), the residual risk can decrease even if the control becomes less effective, because the starting risk level is lower.

Exam trap

The trap here is that candidates assume a decrease in control effectiveness must always increase residual risk, ignoring that a simultaneous decrease in inherent risk can more than compensate, leading to a net reduction in residual risk.

How to eliminate wrong answers

Option A is wrong because increasing control testing frequency typically improves control effectiveness or detects failures earlier, not decreases it; it would not cause effectiveness to drop from 95% to 85%. Option C is wrong because changing the risk assessment methodology could alter how risk is categorized, but the question states the control's effectiveness has measurably decreased, which is a factual change in control performance, not a methodological reclassification. Option D is wrong because implementing additional compensating controls would generally increase overall control effectiveness or at least maintain it, not reduce it from 95% to 85%.

35
MCQmedium

Which of the following is a leading Key Risk Indicator (KRI) for the risk of a data breach?

A.Average time to detect a breach
B.Number of data breaches in the past quarter
C.Percentage of systems with unpatched critical vulnerabilities
D.Number of security incidents closed
AnswerC

This is a leading indicator; a high percentage suggests increased risk of future breaches.

Why this answer

A leading KRI predicts future risk events. The percentage of systems with unpatched critical vulnerabilities directly indicates an increasing attack surface and likelihood of exploitation, making it a leading indicator for a data breach. In contrast, lagging indicators like detection time or breach count measure past incidents.

Exam trap

The trap here is that candidates confuse lagging indicators (like breach count or detection time) with leading indicators, failing to recognize that a leading KRI must predict future risk, not measure past events.

How to eliminate wrong answers

Option A is wrong because average time to detect a breach (Mean Time to Detect, MTTD) is a lagging indicator that measures the effectiveness of detection controls after a breach has occurred, not a predictor of future breaches. Option B is wrong because the number of data breaches in the past quarter is a lagging indicator that reports historical incidents, providing no forward-looking insight into the likelihood of a future breach. Option D is wrong because the number of security incidents closed is a lagging operational metric reflecting past remediation activity, not a leading indicator of breach risk.

36
MCQmedium

Which of the following is the best example of a Key Control Indicator (KCI) for a firewall rule review process?

A.Number of firewall breaches per quarter
B.Percentage of firewall rules reviewed within the defined period
C.Number of firewall administrators
D.Time since last firewall software update
AnswerB

This measures adherence to the control process.

Why this answer

A Key Control Indicator (KCI) measures the effectiveness of a control by tracking its operational performance. For a firewall rule review process, the percentage of rules reviewed within the defined period directly indicates whether the control (periodic review) is being executed as intended, ensuring that stale or overly permissive rules are identified and remediated on schedule.

Exam trap

Cisco often tests the distinction between KCIs (control performance) and KRIs (risk outcomes), so the trap here is confusing a lagging outcome metric (breaches) with a leading process metric (review completion).

How to eliminate wrong answers

Option A is wrong because the number of firewall breaches per quarter is a Key Risk Indicator (KRI), not a KCI; it measures the outcome of control failure rather than the performance of the control itself. Option C is wrong because the number of firewall administrators is a staffing metric unrelated to the operational effectiveness of the rule review process; it does not indicate whether reviews are completed on time. Option D is wrong because the time since the last firewall software update measures patch management hygiene, not the adherence to a rule review schedule; it is a separate control indicator for vulnerability management.

37
Multi-Selectmedium

After implementing a new access control system, the IT risk manager needs to measure its effectiveness. Which THREE of the following are Key Control Indicators (KCIs) that would be appropriate?

Select 3 answers
A.Patch lag time for critical systems
B.Exception rate for access requests
C.Control deficiency rate identified in audits
D.Test results from control testing
E.User satisfaction survey scores
AnswersB, C, D

Exception rate indicates how often controls are bypassed.

Why this answer

Option B is correct because the exception rate for access requests directly measures how often access requests deviate from established policies, indicating the effectiveness of the access control system in enforcing least privilege and authorization rules. A high exception rate suggests weaknesses in the control design or operation, making it a key control indicator (KCI) for access management.

Exam trap

The trap here is confusing KRIs (which measure risk exposure, like patch lag) with KCIs (which measure control effectiveness), leading candidates to select metrics that are not directly tied to the control's operational performance.

38
MCQeasy

An organization is selecting a control to prevent unauthorized access to a critical database. Which control type is most appropriate?

A.Detective control
B.Corrective control
C.Directive control
D.Preventive control
AnswerD

Preventive controls stop incidents from occurring, such as access control lists.

Why this answer

Preventive control is the most appropriate because it directly stops unauthorized access before it occurs. For a critical database, this includes mechanisms like database firewalls, access control lists (ACLs), or mandatory access control (MAC) policies that enforce authentication and authorization at the point of entry, such as requiring valid credentials and role-based permissions before any query is processed.

Exam trap

The trap here is that candidates often confuse 'preventive' with 'detective' controls, mistakenly thinking that logging and monitoring (detective) are sufficient to stop unauthorized access, when in fact they only provide visibility after the fact.

How to eliminate wrong answers

Option A is wrong because detective controls, such as audit logs or intrusion detection systems (IDS), only identify unauthorized access after it has happened, not prevent it. Option B is wrong because corrective controls, like restoring from a backup or applying a patch, are used to remediate damage after an incident, not to block initial access. Option C is wrong because directive controls, such as security policies or acceptable use agreements, guide behavior but do not technically enforce or block access to the database.

39
MCQhard

An organization is implementing a new control to address a high-risk finding. The project manager has scheduled a user training session and updated the relevant policies. Which implementation phase is being addressed?

A.Control monitoring
B.Risk assessment
C.Control implementation
D.Control design
AnswerC

Correct. Training and documentation are key implementation steps.

Why this answer

These activities (training and documentation updates) are part of the control implementation phase, specifically after the control is designed and before going live.

40
MCQeasy

Which risk reporting level is typically provided to the board of directors and focuses on strategic risk posture?

A.Tactical risk reporting
B.Compliance risk reporting
C.Strategic risk reporting
D.Operational risk reporting
AnswerC

Strategic reporting is semi-annual/annual for the board.

Why this answer

Strategic risk reporting is the correct level for the board of directors because it focuses on high-level, long-term risks that could affect the organization's strategic objectives and overall business posture. Unlike tactical or operational reports, strategic reports aggregate risk data into a format that supports governance, risk appetite decisions, and capital allocation at the executive level.

Exam trap

The trap here is that candidates often confuse 'strategic' with 'operational' or 'tactical' because they think the board needs detailed technical data, when in fact the board requires aggregated, high-level information focused on long-term strategy and risk appetite.

How to eliminate wrong answers

Option A is wrong because tactical risk reporting is designed for mid-level management and focuses on specific projects or processes, not the enterprise-wide strategic posture required by the board. Option B is wrong because compliance risk reporting is narrowly scoped to regulatory and legal obligations, such as SOX or GDPR, and does not encompass the broader strategic risk landscape. Option D is wrong because operational risk reporting deals with day-to-day risks like system failures or process errors, which are too granular and short-term for board-level strategic oversight.

41
MCQhard

A change to a critical application is being implemented without updating the associated security controls. This is most likely a failure in which process?

A.Control design
B.Change management
C.Project management
D.User training
AnswerB

Change management requires that security controls are reviewed and updated as part of any change.

Why this answer

A change to a critical application that bypasses updating security controls is a direct failure of the change management process. Change management requires that all changes, including security controls, be reviewed, approved, and documented before implementation to maintain the risk posture. Without this process, the organization loses visibility and control over the security implications of the change, leading to potential vulnerabilities.

Exam trap

The trap here is that candidates confuse 'control design' (the initial architecture of controls) with the ongoing governance process of 'change management' that ensures controls are kept in sync with system modifications.

How to eliminate wrong answers

Option A is wrong because control design refers to the initial creation or selection of controls, not the process of ensuring they are updated when a change occurs. Option C is wrong because project management focuses on delivering a project's scope, schedule, and budget, not specifically on the procedural requirement to update security controls during operational changes. Option D is wrong because user training addresses end-user competency, not the procedural governance of change implementation and security control alignment.

42
Multi-Selectmedium

Which TWO of the following are leading indicators that could be used as KRIs for information security risk? (Select TWO.)

Select 2 answers
A.Number of security incidents in the past quarter
B.Number of audit findings from the last audit
C.Patch lag (average time to apply critical patches)
D.Spike in failed authentication attempts
E.Percentage of employees who completed security awareness training
AnswersC, D

Correct. Indicates future vulnerability risk.

Why this answer

Option C is correct because patch lag (average time to apply critical patches) is a leading indicator that measures the organization's vulnerability exposure window before an exploit occurs. A shorter patch lag indicates proactive risk mitigation, while a longer lag signals increased risk of compromise, making it a forward-looking KRI for information security risk.

Exam trap

The trap here is that candidates often confuse lagging indicators (like incident counts or audit findings) with leading indicators, failing to recognize that KRIs must be predictive and forward-looking to proactively manage risk rather than merely report on past events.

43
MCQeasy

An organization uses automated SIEM rules to continuously monitor for unauthorized access attempts. This is an example of which type of monitoring?

A.Periodic control testing
B.Vulnerability scanning
C.Access review
D.Continuous monitoring
AnswerD

SIEM rules provide ongoing automated monitoring.

Why this answer

Continuous monitoring involves the use of automated tools, such as Security Information and Event Management (SIEM) systems, to provide real-time or near-real-time oversight of security events. In this scenario, the SIEM rules are configured to detect unauthorized access attempts as they occur, which aligns directly with the definition of continuous monitoring rather than periodic or point-in-time assessments.

Exam trap

The trap here is that candidates confuse 'continuous monitoring' with 'periodic control testing' or 'access review' because they all involve oversight of access, but only continuous monitoring uses automated, real-time detection of events as they happen, not scheduled checks or static permission audits.

How to eliminate wrong answers

Option A is wrong because periodic control testing refers to scheduled, manual or automated checks performed at set intervals (e.g., quarterly or annually), not the ongoing, real-time analysis provided by SIEM rules. Option B is wrong because vulnerability scanning is a specific type of assessment that identifies known vulnerabilities (e.g., missing patches, misconfigurations) in systems or networks, not the detection of unauthorized access attempts in real time. Option C is wrong because an access review is a periodic or ad-hoc audit of user permissions and entitlements (e.g., reviewing Active Directory group memberships), not the continuous detection of access attempts via SIEM correlation rules.

44
MCQmedium

A vendor risk tier is assigned based on data access and service criticality. A vendor that processes sensitive customer data and is critical to operations should be classified as which tier?

A.High tier
B.Critical tier
C.Low tier
D.Medium tier
AnswerB

Critical tier is for vendors with high data access and criticality to operations.

Why this answer

A vendor that processes sensitive customer data and is critical to operations poses the highest level of risk to the organization. Under the CRISC framework, such a vendor is classified as Critical tier because the combination of high data sensitivity and operational criticality requires the most stringent risk management controls, including enhanced due diligence, continuous monitoring, and contractual safeguards. This tier ensures that the highest priority vendors receive the most rigorous oversight to mitigate potential impacts on confidentiality, integrity, and availability.

Exam trap

Cisco often tests the distinction between 'High' and 'Critical' tiers, where candidates mistakenly choose 'High' because they overlook that 'Critical' is the highest tier in many risk classification models, reserved specifically for the most severe combination of data sensitivity and operational dependency.

How to eliminate wrong answers

Option A is wrong because 'High tier' is typically used for vendors with significant but not the highest risk, such as those with moderate data access or operational impact, but it does not capture the extreme risk posed by both sensitive data and critical operations. Option C is wrong because 'Low tier' applies to vendors with minimal data access and low operational impact, such as those providing non-essential services with no sensitive data handling, which is the opposite of the scenario described. Option D is wrong because 'Medium tier' is reserved for vendors with moderate risk, such as those with some data access or partial operational criticality, but it fails to address the highest-risk combination of sensitive data and criticality.

45
MCQmedium

In a risk report presented to the board of directors, which of the following elements is most appropriate to include?

A.Vendor security assessment scores for all vendors
B.Detailed weekly firewall log analysis
C.List of all IT incidents from the past month
D.Risk heat map with top risks and status
AnswerD

Correct. Board reports need a high-level view.

Why this answer

Strategic risk reporting to the board should focus on high-level information, such as a risk heat map showing top risks and their status.

46
MCQmedium

A security operations center (SOC) uses a Security Information and Event Management (SIEM) system to continuously monitor for suspicious activities. Which type of monitoring is being performed?

A.Periodic control testing
B.Compliance audit
C.Vulnerability scanning
D.Continuous monitoring
AnswerD

Correct. SIEM enables continuous monitoring.

Why this answer

The SOC is using a SIEM system to continuously monitor for suspicious activities, which aligns with continuous monitoring. Continuous monitoring involves real-time or near-real-time collection and analysis of security events to detect threats as they occur, rather than at scheduled intervals. SIEM systems aggregate logs and alerts from various sources to provide ongoing visibility into the security posture.

Exam trap

The trap here is that candidates confuse continuous monitoring with vulnerability scanning or periodic testing, but the key differentiator is the real-time, event-driven nature of SIEM-based monitoring versus scheduled or point-in-time assessments.

How to eliminate wrong answers

Option A is wrong because periodic control testing involves scheduled assessments (e.g., quarterly penetration tests) to verify control effectiveness, not real-time monitoring. Option B is wrong because a compliance audit is a point-in-time evaluation against regulatory standards (e.g., PCI DSS), not ongoing surveillance. Option C is wrong because vulnerability scanning is a periodic or scheduled process to identify known vulnerabilities (e.g., using Nessus or Qualys), not continuous monitoring of suspicious activities.

47
MCQeasy

A security team is considering implementing a control to prevent unauthorized access to a critical database. Which type of control is most appropriate for this objective?

A.Corrective control
B.Preventive control
C.Detective control
D.Directive control
AnswerB

Preventive controls are designed to stop an incident from occurring.

Why this answer

Preventive controls are designed to stop an incident from occurring. In this case, preventing unauthorized access aligns with a preventive control.

48
MCQeasy

Which type of control is designed to operate before an event to prevent an undesirable outcome?

A.Preventive control
B.Detective control
C.Corrective control
D.Compensating control
AnswerA

Preventive controls are implemented to avoid the occurrence of an event.

Why this answer

A preventive control is designed to operate before an event to stop an undesirable outcome from occurring. In risk management, this includes measures such as firewalls blocking unauthorized traffic before it reaches the internal network, or access control lists (ACLs) preventing unauthorized users from reading sensitive files. These controls proactively enforce security policies to reduce the likelihood of a risk event.

Exam trap

Cisco often tests the distinction between preventive and detective controls by presenting scenarios where a control like an IDS is mistakenly thought to prevent attacks, when in fact it only detects them after they have begun.

How to eliminate wrong answers

Option B (Detective control) is wrong because it operates during or after an event to identify that an undesirable outcome has occurred, such as intrusion detection systems (IDS) logging suspicious activity after the fact. Option C (Corrective control) is wrong because it operates after an event to restore normal operations, like applying a patch to fix a vulnerability that was exploited. Option D (Compensating control) is wrong because it is an alternative control used when a primary control is not feasible, not specifically designed to operate before an event.

49
MCQmedium

Which of the following is the PRIMARY purpose of integrating IT risk reporting into the enterprise risk management (ERM) program?

A.To reduce the frequency of IT risk reporting
B.To eliminate the need for IT risk assessments
C.To provide a holistic view of risk across the organization
D.To replace IT risk management with ERM
AnswerC

ERM integration ensures IT risk is seen in context of overall risk.

Why this answer

Integrating IT risk reporting into the ERM program provides a holistic view of risk across the organization by aligning IT-specific risks with strategic, operational, and compliance risks. This integration ensures that decision-makers can prioritize and respond to risks based on their aggregate impact, rather than treating IT risks in isolation. The primary purpose is to enable a unified risk posture that supports enterprise-wide governance and resource allocation.

Exam trap

Cisco often tests the misconception that ERM integration aims to replace or reduce IT-specific risk management activities, when in fact it seeks to elevate IT risk visibility to the enterprise level without eliminating specialized IT risk processes.

How to eliminate wrong answers

Option A is wrong because the purpose of integration is not to reduce the frequency of reporting but to enhance the quality and context of risk information; frequency is determined by risk velocity and materiality, not by integration alone. Option B is wrong because integrating IT risk reporting into ERM does not eliminate the need for IT risk assessments; IT risk assessments remain essential for identifying, analyzing, and evaluating specific technical threats, vulnerabilities, and controls. Option D is wrong because ERM does not replace IT risk management; rather, it subsumes IT risk as a component of the overall risk portfolio, requiring continued specialized IT risk management practices.

50
Multi-Selecteasy

Which TWO of the following are examples of continuous monitoring techniques for IT controls? (Select TWO)

Select 2 answers
A.Quarterly internal audit reviews
B.Continuous SIEM monitoring for security alerts
C.Weekly vulnerability scanning of critical systems
D.Annual penetration testing
E.Monthly manual log review
AnswersB, C

SIEM monitoring is automated and continuous.

Why this answer

Continuous monitoring involves automated, ongoing processes. SIEM monitoring for security alerts and automated vulnerability scanning are continuous. Quarterly audits and annual penetration tests are periodic, not continuous.

51
MCQhard

A company is integrating its IT risk management program with the enterprise risk management (ERM) program. What is the primary benefit of this integration?

A.It allows IT to operate independently from business units.
B.It eliminates the requirement for a separate IT risk register.
C.It provides a holistic view of risk across the organization.
D.It reduces the need for IT-specific risk assessments.
AnswerC

ERM integration gives a comprehensive risk picture.

Why this answer

Integration ensures that IT risks are considered in the context of overall organizational objectives and that risk responses are aligned across the enterprise.

52
MCQmedium

During a cost-benefit analysis for a proposed control, the annual loss expectancy (ALE) for a risk is currently $500,000. The control is expected to reduce the ALE by 80% and will cost $150,000 per year. What is the net benefit of implementing the control?

A.$100,000
B.$250,000
C.$400,000
D.$350,000
AnswerB

Correct calculation of net benefit.

Why this answer

The current annual loss expectancy (ALE) is $500,000. An 80% reduction means the control saves $400,000 per year. Subtracting the annual control cost of $150,000 yields a net benefit of $250,000.

This is calculated as (ALE × reduction percentage) – control cost.

Exam trap

The trap here is that candidates often forget to subtract the annual control cost from the gross savings, mistakenly selecting the gross savings ($400,000) as the net benefit.

How to eliminate wrong answers

Option A ($100,000) is wrong because it incorrectly subtracts the control cost from the reduced ALE ($100,000 = $100,000 – $0?) or miscalculates the savings as 20% of ALE. Option C ($400,000) is wrong because it represents the gross savings (80% of $500,000) without subtracting the $150,000 annual control cost. Option D ($350,000) is wrong because it likely results from subtracting the control cost from the original ALE ($500,000 – $150,000) and ignoring the 80% reduction factor.

53
MCQhard

An organization uses continuous monitoring via SIEM rules to detect anomalies. The SIEM generates an alert when the number of failed logins exceeds a threshold. This monitoring is an example of:

A.Periodic control testing
B.Continuous monitoring
C.Access review
D.Vulnerability scanning
AnswerB

SIEM rules operate in real time, providing continuous monitoring.

Why this answer

This scenario describes continuous monitoring because the SIEM is configured with rules that automatically and perpetually analyze login events in real time, generating alerts when the count of failed logins surpasses a predefined threshold. Unlike periodic or manual checks, this process operates 24/7 without human intervention, directly detecting anomalies as they occur.

Exam trap

The trap here is that candidates confuse 'continuous monitoring' with 'continuous auditing' or assume any automated activity is 'vulnerability scanning,' but the key differentiator is the real-time, rule-based detection of operational anomalies versus scheduled scans for configuration weaknesses.

How to eliminate wrong answers

Option A is wrong because periodic control testing involves scheduled, manual or automated assessments of controls at fixed intervals (e.g., quarterly reviews), whereas the SIEM rule runs continuously without a schedule. Option C is wrong because an access review is a manual or semi-automated process that examines user permissions and entitlements against policy, not real-time detection of failed login anomalies. Option D is wrong because vulnerability scanning identifies known software vulnerabilities (e.g., missing patches, misconfigurations) by probing systems, not by monitoring authentication failure patterns.

54
Multi-Selectmedium

Which TWO of the following are examples of detective controls?

Select 2 answers
A.Encryption of data at rest
B.Firewall rules
C.Log monitoring and analysis
D.Intrusion detection system (IDS)
E.Data backup process
AnswersC, D

Log monitoring detects events after the fact.

Why this answer

Detective controls identify incidents that have already occurred. Intrusion detection systems and log monitoring are classic examples.

55
Multi-Selectmedium

During a third-party risk management review, the organization is tiering its vendors based on risk. Which TWO of the following criteria are most relevant for determining vendor risk tier?

Select 2 answers
A.Criticality of service provided
B.Number of vendor employees
C.Level of data access the vendor has
D.Annual contract value
E.Vendor geographic location
AnswersA, C

Service criticality directly impacts business impact if disrupted.

Why this answer

The criticality of the service provided (A) directly determines the potential business impact if the vendor fails, making it a primary factor in risk tiering. Similarly, the level of data access (C) dictates the confidentiality and privacy risks, as vendors handling sensitive or regulated data (e.g., PII, PHI) pose higher inherent risk. Both criteria align with the ISACA risk management framework, which prioritizes impact and data sensitivity over financial or operational metrics.

Exam trap

Cisco often tests the misconception that financial metrics like contract value or vendor size directly correlate with risk, but the CRISC exam emphasizes that risk is driven by data sensitivity and business impact, not cost or scale.

56
MCQmedium

An IT risk manager is preparing a quarterly risk report for the CISO. Which type of reporting structure does this represent?

A.Tactical risk reporting
B.Executive risk reporting
C.Operational risk reporting
D.Strategic risk reporting
AnswerA

Quarterly to CISO/CIO is tactical.

Why this answer

Quarterly reporting to the CISO/CIO is considered tactical risk reporting, focusing on decisions affecting the IT portfolio.

57
MCQhard

An organization is implementing continuous monitoring of its network using SIEM rules. Which of the following is the PRIMARY benefit of this approach over periodic manual testing?

A.Reduces the need for security staff
B.Is less expensive than periodic testing
C.Eliminates all false positives
D.Provides real-time detection of security events
AnswerD

SIEM rules enable continuous, real-time monitoring and alerting.

Why this answer

Continuous monitoring via SIEM rules provides real-time detection of security events, enabling immediate identification and response to threats as they occur. This is the primary benefit over periodic manual testing, which only identifies issues at discrete intervals and cannot catch events that happen between tests.

Exam trap

The trap here is that candidates may confuse 'continuous monitoring' with 'automated response' or assume it reduces staffing needs, but the CRISC exam emphasizes that the primary benefit is real-time detection, not cost savings or elimination of human oversight.

How to eliminate wrong answers

Option A is wrong because continuous monitoring does not eliminate the need for security staff; it augments their capabilities but still requires analysts to investigate alerts, tune rules, and respond to incidents. Option B is wrong because continuous monitoring often involves higher upfront and ongoing costs for SIEM infrastructure, licensing, and staffing compared to periodic manual testing. Option C is wrong because SIEM rules can produce false positives due to misconfigurations, noisy data sources, or overly broad rule logic; they do not eliminate all false positives.

58
MCQeasy

During a cost-benefit analysis for a proposed control, the annualized loss expectancy (ALE) without the control is $500,000. The control is expected to reduce the ALE to $100,000. The control implementation cost is $150,000, and the annual operating cost is $30,000. What is the net annual benefit of the control?

A.$400,000
B.$220,000
C.$370,000
D.$250,000
AnswerB

Correct calculation: ALE reduction minus total annualized cost.

Why this answer

The net annual benefit is calculated as the reduction in ALE minus the annual operating cost. The ALE reduction is $500,000 - $100,000 = $400,000. Subtracting the annual operating cost of $30,000 gives $370,000, but the implementation cost of $150,000 is a one-time cost that must be amortized or considered separately; in this context, the net annual benefit is the annual savings after operating costs, which is $400,000 - $30,000 = $370,000, then subtracting the annualized implementation cost (e.g., over a typical 3-year horizon) yields $370,000 - $50,000 = $320,000, but the question's expected answer uses a simpler interpretation: net annual benefit = (ALE without control - ALE with control) - (annual operating cost + annualized implementation cost).

With a 1-year horizon, that is ($500,000 - $100,000) - ($30,000 + $150,000) = $400,000 - $180,000 = $220,000.

Exam trap

The trap here is that candidates often forget to include the implementation cost in the annual cost calculation, or they incorrectly treat it as a one-time expense without annualizing it, leading to an overestimated net benefit.

How to eliminate wrong answers

Option A is wrong because it incorrectly assumes the net annual benefit equals the full reduction in ALE ($400,000) without subtracting any costs. Option C is wrong because it subtracts only the annual operating cost ($30,000) from the ALE reduction, ignoring the implementation cost entirely. Option D is wrong because it likely results from subtracting the implementation cost ($150,000) from the ALE reduction but forgetting to subtract the annual operating cost ($30,000), yielding $250,000 instead of $220,000.

59
MCQeasy

Which of the following is a Key Control Indicator (KCI) that measures the effectiveness of a firewall?

A.Number of security incidents reported
B.Number of blocked intrusion attempts
C.Average time to patch vulnerabilities
D.Percentage of employees who completed security training
AnswerB

This directly reflects the firewall's ability to prevent attacks.

Why this answer

A KCI measures the performance or effectiveness of a control. The number of blocked intrusion attempts is a direct measure of the firewall's preventive effectiveness.

60
MCQmedium

Which of the following is a key element of promoting a risk-aware culture within an IT department?

A.Establishing an anonymous incident reporting system
B.Outsourcing risk management to a third party
C.Conducting annual performance reviews
D.Requiring employees to sign non-disclosure agreements
AnswerA

Anonymity encourages reporting without blame.

Why this answer

A risk-aware culture encourages employees to report incidents and near-misses without fear of blame, fostering learning and improvement.

61
MCQmedium

During a vendor risk assessment, a prospective vendor for critical services cannot provide a SOC 2 Type II report. According to the organization's vendor risk appetite, which action should be taken?

A.Lower the vendor's tier to reduce requirements
B.Accept the vendor's self-assessment instead
C.Reject the vendor or request a formal risk acceptance
D.Onboard the vendor with additional monitoring
AnswerC

This aligns with risk appetite; if risk is accepted, it must be formally documented.

Why this answer

A SOC 2 Type II report provides independent assurance over a service organization's controls over a period of time. When a prospective vendor for critical services cannot provide this report, and the organization's risk appetite is defined, the appropriate action is to reject the vendor or require a formal risk acceptance from the risk owner. This ensures that any deviation from the required control evidence is explicitly acknowledged and approved, rather than bypassing the requirement.

Exam trap

The trap here is that candidates may assume 'additional monitoring' (Option D) is a valid compensating control, but the CRISC exam emphasizes that for critical services, independent assurance (like SOC 2) is a non-negotiable baseline, and monitoring is a detective control, not a preventive or directive control that replaces the need for formal risk acceptance.

How to eliminate wrong answers

Option A is wrong because lowering the vendor's tier to reduce requirements would arbitrarily weaken the control baseline for a critical service, which contradicts the principle of aligning controls with risk criticality. Option B is wrong because accepting a vendor's self-assessment instead of a SOC 2 Type II report removes independent verification, introducing a conflict of interest and potentially hiding control weaknesses. Option D is wrong because onboarding the vendor with additional monitoring does not address the lack of foundational control assurance; monitoring can detect issues but cannot replace the need for pre-contract evidence of control effectiveness.

62
MCQhard

When integrating IT risk into the enterprise risk management (ERM) program, the most important consideration is:

A.Reporting IT risks only to the CIO
B.Eliminating IT risk reporting to the board
C.Mapping IT risks to enterprise risk categories
D.Using separate risk scoring for IT risks
AnswerC

Mapping ensures IT risks are included in the enterprise risk taxonomy.

Why this answer

IT risk should be treated as a component of broader operational risk to ensure alignment with enterprise-level risk appetite and reporting.

63
MCQmedium

During a vendor risk assessment, an organization discovers that a critical vendor has not performed a security assessment in two years. The vendor is tiered as 'medium risk'. According to best practices, what should the risk practitioner recommend?

A.Request a current SOC 2 report or equivalent assessment
B.Downgrade the vendor to low risk to reduce monitoring frequency
C.Accept the risk because the vendor is only medium risk
D.Terminate the relationship immediately
AnswerA

This ensures the organization has up-to-date information on the vendor's controls.

Why this answer

A SOC 2 report (or equivalent, such as an ISO 27001 certification or a SIG assessment) provides independent assurance over a vendor's controls, including security monitoring and assessment cadence. Since the vendor is tiered as 'medium risk' and has not performed a security assessment in two years, the risk practitioner should request current evidence of control effectiveness rather than accept, ignore, or escalate the risk prematurely. This aligns with the CRISC principle of verifying control status before making risk response decisions.

Exam trap

The trap here is that candidates may assume 'medium risk' automatically justifies risk acceptance (Option C), but CRISC requires that acceptance be based on current control evidence, not just the risk tier label.

How to eliminate wrong answers

Option B is wrong because downgrading a vendor's risk tier to reduce monitoring frequency would violate the risk assessment's integrity; the vendor's lack of assessment indicates a control gap, not a lower inherent risk. Option C is wrong because accepting risk without understanding the current control state (i.e., without a recent assessment) is premature and contradicts the risk response process, which requires informed acceptance based on evidence. Option D is wrong because terminating the relationship immediately is an extreme response that ignores the possibility of obtaining a current assessment or remediation plan; it fails to consider business continuity and the vendor's criticality.

64
MCQeasy

When implementing a new control, which of the following is the most important factor in ensuring its long-term effectiveness?

A.Selecting a control owner
B.Updating documentation
C.Conducting user training
D.Performing cost-benefit analysis
AnswerB

Documentation supports proper operation, training, and auditability, which are key to long-term effectiveness.

Why this answer

Documentation updates ensure that the control operates correctly and can be maintained, audited, and improved over time.

65
Multi-Selectmedium

A risk manager is reviewing the risk report content for a quarterly IT risk committee meeting. Which TWO items are most important to include in the report?

Select 2 answers
A.Risk heat map
B.Individual employee performance metrics
C.Detailed technical logs
D.Top risks and their status
E.List of all IT assets
AnswersA, D

Provides a visual overview of risk levels.

Why this answer

A risk heat map is a critical visual tool for risk reporting because it provides a concise, at-a-glance view of the likelihood and impact of identified risks, enabling the IT risk committee to quickly prioritize and make informed decisions. It directly supports the Risk Response and Reporting domain by summarizing complex risk data into actionable insights, which is essential for quarterly governance meetings.

Exam trap

The trap here is that candidates confuse operational data (like logs or asset lists) with strategic risk reporting content, failing to recognize that the committee needs summarized, decision-supporting visuals (heat map) and prioritized risk status, not raw technical details.

66
Multi-Selecthard

An organization is implementing continuous monitoring for its critical systems. Which TWO of the following are examples of continuous monitoring techniques? (Select TWO)

Select 2 answers
A.Continuous vulnerability scanning
B.Weekly review of access logs by a manager
C.Automated SIEM rules to detect anomalies
D.Annual penetration testing
E.Quarterly control testing by internal audit
AnswersA, C

Automated scanning can run continuously to detect new vulnerabilities.

Why this answer

Continuous monitoring involves automated, ongoing checks. SIEM rules continuously analyze logs for threats, and vulnerability scanning can be automated to run continuously or frequently.

67
Multi-Selectmedium

A financial services company is implementing a new control to mitigate the risk of unauthorized access to customer data. Which TWO of the following are key factors to consider during the control design phase?

Select 2 answers
A.Assigning control ownership to a specific individual or team
B.Conducting a cost-benefit analysis comparing annual control cost to ALE reduction
C.Performing user training on the new control
D.Developing a detailed control implementation plan
E.Selecting the control type (preventive, detective, or corrective)
AnswersB, E

Cost-benefit analysis ensures the control is economically justified.

Why this answer

A cost-benefit analysis comparing the annualized cost of the control to the reduction in Annualized Loss Expectancy (ALE) is a key factor during control design because it ensures the control is economically justified. This aligns with the risk response principle that the cost of mitigation should not exceed the risk reduction benefit, a core tenet of quantitative risk analysis in CRISC.

Exam trap

Cisco often tests the distinction between design-phase activities (like selecting control type and cost-benefit analysis) versus implementation or operational activities (like assigning ownership or training), leading candidates to confuse 'what to design' with 'how to run' the control.

68
MCQmedium

An organization is implementing a new access control system. The project manager is concerned about delays due to user training requirements. Which of the following should the risk practitioner prioritize to ensure effective control implementation?

A.Accelerate the deployment to meet the project deadline
B.Implement a compensating control to reduce training requirements
C.Delay the entire project until training can be completed
D.Ensure user training is completed before go-live
AnswerD

Training is essential for users to understand and follow the new access control procedures.

Why this answer

User training is a critical success factor for access control systems because misconfigured or improperly used controls can lead to security gaps. Ensuring training is completed before go-live (Option D) aligns with the principle that a control is only effective if users understand how to operate it correctly, preventing human error that could bypass the control's intended protections.

Exam trap

The trap here is that candidates may choose Option B (compensating control) thinking it is a valid risk treatment, but the question asks for what ensures effective control implementation, not just risk reduction—training is non-negotiable for the primary control to work as designed.

How to eliminate wrong answers

Option A is wrong because accelerating deployment to meet a deadline sacrifices control effectiveness; a rushed rollout without user training increases the risk of misconfiguration and security incidents. Option B is wrong because implementing a compensating control to reduce training requirements does not address the root cause—users must still understand the primary access control system to avoid errors that the compensating control cannot fully mitigate. Option C is wrong because delaying the entire project is unnecessarily disruptive; training can be completed in parallel with other project phases, and a full delay may introduce new risks from prolonged use of legacy systems.

69
MCQhard

During a vendor risk tiering exercise, a vendor that stores the organization's customer PII and is critical for daily operations should be classified as which tier?

A.Critical
B.Medium
C.High
D.Low
AnswerA

Critical tier applies to vendors with sensitive data and essential services.

Why this answer

Vendors with access to sensitive data and high service criticality are typically classified as critical (highest tier).

70
MCQeasy

Which type of control is designed to stop an undesirable event from occurring?

A.Corrective control
B.Preventive control
C.Directive control
D.Detective control
AnswerB

Preventive controls aim to stop events from happening.

Why this answer

Preventive control is designed to stop an undesirable event from occurring by enforcing policies or technical barriers before the event happens. For example, a firewall rule that blocks inbound traffic on port 23 (Telnet) prevents unauthorized remote access attempts, directly reducing the likelihood of a security incident.

Exam trap

The trap here is that candidates often confuse preventive controls with detective controls, mistakenly thinking that monitoring or alerting (detective) can stop an event, when in fact prevention requires proactive blocking mechanisms like access control lists (ACLs) or input validation.

How to eliminate wrong answers

Option A is wrong because corrective control is applied after an undesirable event has occurred, aiming to restore normal operations (e.g., restoring data from backup after a ransomware attack). Option C is wrong because directive control guides behavior through policies or procedures but does not physically or technically stop an event (e.g., a password policy requiring complex passwords does not prevent a brute-force attack by itself). Option D is wrong because detective control identifies that an undesirable event has occurred or is occurring, such as an intrusion detection system (IDS) alerting on suspicious traffic, but it does not stop the event.

71
Multi-Selecthard

In the context of IT risk reporting to the board, which THREE elements should be included to effectively communicate risk?

Select 3 answers
A.Detailed technical logs
B.Top risks and status
C.Risk heat map
D.Employee performance reviews
E.Risk trend analysis
AnswersB, C, E

Highlights key concerns and progress.

Why this answer

A risk heat map, top risks and status, and risk trend analysis help the board understand the current and evolving risk landscape.

72
MCQhard

An organization uses a KRI that tracks the average time to patch critical vulnerabilities. The metric has been increasing over the past three months. What does this indicate from a risk perspective?

A.The control effectiveness is improving
B.The risk of exploitation is increasing
C.The risk appetite has been reduced
D.The risk of exploitation is decreasing
AnswerB

Longer patch times increase the window of vulnerability.

Why this answer

An increasing average time to patch critical vulnerabilities indicates that the organization is taking longer to remediate known security weaknesses. From a risk perspective, this directly increases the window of exposure, making it more likely that an attacker will exploit a vulnerability before a patch is applied. Therefore, the risk of exploitation is increasing.

Exam trap

The trap here is that candidates may confuse a rising KRI metric with improved security posture, failing to recognize that longer remediation times increase exposure and risk of exploitation.

How to eliminate wrong answers

Option A is wrong because an increasing patch time indicates control effectiveness is deteriorating, not improving; effective controls would show decreasing or stable patch times. Option C is wrong because risk appetite is a strategic decision about acceptable risk levels, not a metric derived from patch timeliness; a reduced risk appetite would typically drive faster patching, not slower. Option D is wrong because it is the direct opposite of the correct interpretation; increasing patch time means the risk of exploitation is increasing, not decreasing.

73
MCQeasy

An organization wants to promote a risk-aware culture. Which of the following actions is most effective in encouraging employees to report incidents without fear?

A.Establishing a non-punitive incident reporting policy
B.Conducting annual security awareness training
C.Publishing risk metrics on the intranet
D.Providing incentives for risk identification
AnswerA

This directly addresses fear of retaliation.

Why this answer

A non-punitive incident reporting policy is the most effective action because it directly removes the fear of retaliation or blame, which is the primary psychological barrier to reporting security incidents. By guaranteeing that employees will not face disciplinary action for reporting their own mistakes or observed issues, the organization fosters psychological safety and encourages timely disclosure. This aligns with the CRISC principle that a risk-aware culture requires trust and openness, which cannot be achieved through training or metrics alone if fear persists.

Exam trap

The trap here is that candidates often choose 'Conducting annual security awareness training' because they equate awareness with culture change, but the question specifically targets the barrier of fear, which training alone cannot remove.

How to eliminate wrong answers

Option B is wrong because annual security awareness training, while important for knowledge, does not address the emotional or cultural barrier of fear; employees may still hide incidents if they believe reporting will lead to punishment. Option C is wrong because publishing risk metrics on the intranet is a communication tactic that informs but does not create a safe reporting environment; it may even increase anxiety if metrics highlight failures without a supportive policy. Option D is wrong because providing incentives for risk identification can inadvertently encourage gaming the system or reporting only low-risk items, and it does not eliminate the fear of consequences for reporting one's own errors or serious incidents.

74
Multi-Selectmedium

An organization is designing a vendor risk assessment process for critical vendors. Which THREE of the following should be included in the initial onboarding assessment?

Select 3 answers
A.Security questionnaires
B.Continuous monitoring via shared intelligence platforms
C.Contract compliance review
D.Annual reassessment
E.SOC 2 report review
AnswersA, C, E

Questionnaires gather vendor security posture information.

Why this answer

Security questionnaires are a foundational tool in initial vendor onboarding because they systematically gather detailed information about the vendor's security controls, policies, and practices. This allows the organization to assess the vendor's baseline security posture against its own requirements before any business relationship begins.

Exam trap

The trap here is confusing ongoing monitoring activities (like continuous monitoring or annual reassessments) with the discrete, upfront steps required during the initial vendor onboarding assessment.

75
Multi-Selectmedium

Which TWO methods are commonly used for continuous monitoring of IT controls?

Select 2 answers
A.SIEM rules for automated testing
B.Board risk review
C.Annual control self-assessment
D.Vulnerability scanning
E.Quarterly internal audit
AnswersA, D

Continuously analyzes logs for anomalies.

Why this answer

Automated SIEM rules and vulnerability scanning are typical continuous monitoring techniques.

Page 1 of 3 · 160 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Crisc Risk Response questions.

CCNA Crisc Risk Response Questions — Page 1 of 3 | Courseiva