CCNA Crisc Risk Response Questions

75 of 160 questions · Page 2/3 · Crisc Risk Response topic · Answers revealed

76
Multi-Selectmedium

An organization is implementing a third-party risk management program. Which TWO are essential components of the initial vendor risk assessment process?

Select 2 answers
A.Security questionnaires
B.Contract compliance review
C.Review of SOC 2 Type II report
D.Quarterly vulnerability scans of vendor networks
E.Annual reassessment
AnswersA, C

Questionnaires gather information about the vendor's security practices.

Why this answer

Initial vendor assessments typically involve security questionnaires to gather information and review of SOC 2 reports to verify controls. These are foundational due diligence steps.

77
MCQmedium

An organization is implementing a control to prevent unauthorized access to its critical database. The control must be designed to block access attempts in real time. Which type of control should be selected?

A.Corrective control
B.Detective control
C.Preventive control
D.Compensating control
AnswerC

Preventive controls block unauthorized access in real time.

Why this answer

A preventive control is designed to block unauthorized access attempts in real time before they reach the critical database. Technologies such as a database firewall or network access control list (ACL) evaluate each request against a policy and drop the packet or terminate the session immediately, preventing the access from occurring. This aligns with the requirement for real-time blocking, which is the defining characteristic of a preventive control.

Exam trap

The trap here is that candidates often confuse detective controls (like monitoring or logging) with preventive controls, mistakenly thinking that detecting an attempt in real time is the same as blocking it, but detection does not stop the action from occurring.

How to eliminate wrong answers

Option A is wrong because a corrective control acts after an incident has occurred (e.g., restoring a database from backup after a breach), not in real time to block access. Option B is wrong because a detective control identifies and logs unauthorized access attempts (e.g., via audit logs or intrusion detection systems) but does not block them in real time. Option D is wrong because a compensating control is an alternative mechanism used when the primary control is not feasible (e.g., using additional monitoring when encryption cannot be applied), but it is not the first choice for real-time blocking and does not inherently block access in real time.

78
Multi-Selecthard

During a quarterly IT risk review, the risk manager presents a risk heat map. Which TWO of the following elements should be included in the report to provide a comprehensive view?

Select 2 answers
A.Risk heat map showing current risk levels
B.Upcoming risk events and changes
C.List of all identified risks regardless of priority
D.Risk trend analysis over the past quarter
E.Detailed control performance metrics for all controls
AnswersA, D

The heat map is a standard visual tool.

Why this answer

Option A is correct because a risk heat map visually represents current risk levels based on likelihood and impact, which is essential for a quarterly review to show the organization's present risk posture. Option D is correct because including risk trend analysis over the past quarter provides a dynamic view of how risks have evolved, enabling stakeholders to assess whether risk responses are effective and to identify emerging patterns.

Exam trap

The trap here is that candidates may think a comprehensive risk report must include all possible details (like upcoming events or all risks), but CRISC emphasizes that a quarterly review should focus on current risk posture and trends, not exhaustive lists or forward-looking projections.

79
MCQmedium

During a vendor risk assessment, a third-party vendor is classified as "critical" because it has access to sensitive customer data. According to the organization's risk appetite, what minimum security requirement should be mandated for this vendor?

A.SOC 2 Type II report
B.General liability insurance certificate
C.Penetration test results from the vendor
D.Self-assessment questionnaire only
AnswerA

This is a common requirement for critical vendors.

Why this answer

A SOC 2 Type II report is the minimum security requirement for a critical vendor with access to sensitive customer data because it provides an independent, audited assessment of the vendor's controls over security, availability, processing integrity, confidentiality, and privacy over a period of time. This aligns with the organization's risk appetite by ensuring that the vendor has demonstrated effective controls in place to protect sensitive data, rather than relying on a point-in-time test or self-reported information.

Exam trap

The trap here is that candidates often choose penetration test results (Option C) because they seem technically rigorous, but they fail to recognize that a point-in-time test does not provide the ongoing assurance of control effectiveness required for a critical vendor with access to sensitive customer data.

How to eliminate wrong answers

Option B is wrong because a general liability insurance certificate covers financial losses from incidents like property damage or bodily injury, not the technical security controls required to protect sensitive customer data. Option C is wrong because penetration test results provide only a point-in-time snapshot of vulnerabilities and do not demonstrate ongoing control effectiveness or compliance with security frameworks. Option D is wrong because a self-assessment questionnaire alone is insufficient for a critical vendor, as it relies on unverified self-reported information and lacks independent validation of security controls.

80
MCQmedium

An organization is selecting a control to reduce the risk of unauthorized data exfiltration. The annual loss expectancy (ALE) for this risk is currently $500,000. The proposed control costs $80,000 annually and is expected to reduce the ALE by 60%. What is the net benefit (reduction in risk exposure minus control cost) of implementing this control?

A.$220,000
B.$420,000
C.$300,000
D.$120,000
AnswerA

Correct: $300,000 reduction minus $80,000 cost = $220,000.

Why this answer

The current ALE is $500,000. A 60% reduction lowers the ALE by $300,000 (0.60 × $500,000). The net benefit is the reduction in risk exposure ($300,000) minus the annual control cost ($80,000), resulting in $220,000.

This calculation directly measures the residual risk reduction against the cost of the control, a key concept in cost-benefit analysis for risk response.

Exam trap

The trap here is that candidates often forget to subtract the control cost from the risk reduction, mistakenly selecting the reduction amount ($300,000) as the net benefit, or they incorrectly apply the percentage to the wrong base value, such as subtracting the cost from the original ALE.

How to eliminate wrong answers

Option B ($420,000) is wrong because it incorrectly subtracts the control cost from the original ALE ($500,000 - $80,000), ignoring the 60% reduction factor. Option C ($300,000) is wrong because it represents only the reduction in ALE (60% of $500,000) without subtracting the control cost, failing to account for the expense of implementation. Option D ($120,000) is wrong because it mistakenly calculates the net benefit as the control cost ($80,000) subtracted from the remaining ALE after reduction ($200,000), which confuses residual risk with net benefit.

81
MCQeasy

Which of the following is a Key Risk Indicator (KRI) that provides leading indication of increasing vulnerability risk?

A.Control deficiency rate
B.Patch lag metric
C.Mean time to detect (MTTD)
D.Number of security incidents
AnswerB

A high patch lag indicates increased vulnerability risk before exploitation.

Why this answer

Patch lag (time since last patch) is a leading indicator that systems are exposed to known vulnerabilities.

82
MCQmedium

A company is evaluating the cost-benefit of a new control that reduces the annualized loss expectancy (ALE) from $500,000 to $100,000. The control has an annual cost of $150,000. What is the net benefit of implementing this control?

A.$350,000
B.$250,000
C.$400,000
D.$50,000
AnswerB

Correct calculation: ALE reduction of $400,000 minus control cost of $150,000 equals $250,000 net benefit.

Why this answer

The net benefit of implementing a control is calculated as the reduction in Annualized Loss Expectancy (ALE) minus the annual cost of the control. The ALE reduction is $500,000 - $100,000 = $400,000. Subtracting the annual control cost of $150,000 yields a net benefit of $250,000, making option B correct.

Exam trap

The trap here is that candidates often forget to subtract the annual control cost from the ALE reduction, mistakenly selecting the gross reduction ($400,000) as the net benefit, or they incorrectly subtract the residual ALE instead of the control cost.

How to eliminate wrong answers

Option A is wrong because $350,000 represents the ALE reduction ($400,000) minus only the residual ALE ($100,000) instead of the control cost, a common miscalculation. Option C is wrong because $400,000 is the gross reduction in ALE before subtracting the control's annual cost, ignoring the expense side of cost-benefit analysis. Option D is wrong because $50,000 incorrectly subtracts the control cost from the residual ALE ($100,000 - $150,000 = -$50,000) or misapplies the formula, yielding a negative or minimal value that does not reflect the actual net benefit.

83
MCQmedium

A vendor is classified as 'critical' based on its access to sensitive data and the criticality of its service. According to best practices, what minimum security requirement should be mandated for this vendor?

A.Annual self-assessment questionnaire
B.Penetration test results from the vendor
C.ISO 27001 certificate
D.SOC 2 Type II report
AnswerD

SOC 2 Type II provides independent assurance over controls over a period.

Why this answer

For critical vendors, the risk appetite typically requires a SOC 2 Type II report, which provides assurance over controls related to security, availability, processing integrity, confidentiality, and privacy.

84
MCQmedium

An organization is evaluating a new security control that costs $50,000 annually to implement and maintain. The current annualized loss expectancy (ALE) for a related risk is $200,000. The control is expected to reduce the ALE by 85%. Using cost-benefit analysis, what is the net benefit of implementing this control?

A.$120,000
B.$30,000
C.$170,000
D.$150,000
AnswerA

The net benefit is $120,000 per year.

Why this answer

The reduction in ALE is 85% of $200,000 = $170,000. The annual control cost is $50,000. Net benefit = $170,000 - $50,000 = $120,000.

85
Multi-Selecteasy

An organization wants to promote a risk-aware culture. Which TWO of the following initiatives are most effective for achieving this?

Select 2 answers
A.Conducting regular security awareness training for all employees
B.Establishing a 'tone from the top' that emphasizes risk management
C.Implementing a blame-free incident reporting system
D.Offering financial incentives for risk identification
E.Increasing the IT risk team budget
AnswersA, B

Training educates employees on risk responsibilities.

Why this answer

Regular security awareness training directly educates employees on their role in risk management, reinforcing desired behaviors and decision-making aligned with the organization's risk appetite. This initiative operationalizes a risk-aware culture by embedding risk considerations into daily activities, making it a foundational element of the risk response strategy.

Exam trap

The trap here is that candidates often mistake a blame-free reporting system or financial incentives as cultural drivers, but the CRISC exam emphasizes that culture is shaped by leadership example and continuous education, not by reactive or transactional mechanisms.

86
Multi-Selecthard

An organization is developing a vendor risk management program. Which THREE activities should be included in the initial onboarding assessment for a high-risk vendor?

Select 3 answers
A.Evaluating contract compliance requirements
B.Reviewing SOC 2 Type II report
C.Conducting an onsite physical security inspection
D.Analyzing the vendor's financial statements
E.Reviewing completed security questionnaires
AnswersA, B, E

Ensures contractual security obligations are met.

Why this answer

Evaluating contract compliance requirements is a critical initial onboarding activity for a high-risk vendor because it ensures the vendor's service level agreements (SLAs), data protection clauses, and regulatory obligations (e.g., GDPR, PCI DSS) are formally documented and enforceable. This step establishes the legal and operational baseline for risk acceptance and ongoing monitoring, directly supporting the risk response strategy within the vendor risk management program.

Exam trap

The trap here is that candidates often confuse 'initial onboarding' with 'ongoing monitoring' and select activities like onsite inspections or financial analysis, which are typically performed later in the vendor lifecycle, not during the initial risk assessment phase.

87
Multi-Selectmedium

An organization is implementing a new control to address a high-risk vulnerability. Which TWO factors are MOST important to consider during the control implementation planning phase?

Select 2 answers
A.Vendor reputation
B.Industry best practices
C.Resource requirements
D.Control implementation plan
E.Number of previous incidents
AnswersC, D

Ensures adequate funding and staff.

Why this answer

Resource requirements (budget, personnel) and a clear implementation plan are critical to successful deployment.

88
MCQhard

An organization has a risk culture where employees are hesitant to report security incidents due to fear of blame. Which of the following initiatives would MOST effectively promote a risk-aware culture?

A.Increase the frequency of security awareness training
B.Establish a confidential incident reporting system with a no-blame policy
C.Conduct more frequent audits to detect unreported incidents
D.Discipline employees who fail to report incidents
AnswerB

This directly reduces fear and encourages reporting.

Why this answer

To encourage incident reporting, the organization should foster a no-blame culture. Implementing an anonymous reporting mechanism removes fear of reprisal and encourages employees to report incidents without fear of blame.

89
MCQeasy

Which of the following best describes the purpose of a risk heat map in an IT risk report?

A.To list the top risks in order of priority
B.To illustrate the relationship between risks and controls
C.To provide a visual representation of the likelihood and impact of risks
D.To show the cost of controls
AnswerC

Correct: heat maps plot likelihood vs. impact.

Why this answer

A risk heat map visually displays risks based on likelihood and impact, helping to prioritize and communicate risk levels.

90
Multi-Selecthard

A risk manager is designing a third-party risk management program. Which THREE factors should be considered when determining the risk tier of a vendor?

Select 3 answers
A.The vendor's physical location
B.The type of data the vendor will access
C.The vendor's annual revenue
D.The vendor's security certifications and audit results
E.The criticality of the service provided
AnswersB, D, E

Data sensitivity is a primary factor.

Why this answer

Data access, service criticality, and the vendor's security posture are key factors in risk tiering.

91
MCQeasy

When implementing a new access control system, which activity is essential during the change management process?

A.Updating the system documentation and user manuals
B.Removing all legacy controls
C.Assigning control ownership to external vendors
D.Disabling audit logs to save storage
AnswerA

Documentation updates are a key step in change management.

Why this answer

Updating relevant documentation ensures that the change is properly recorded and that operational procedures remain accurate.

92
MCQmedium

Which of the following is an example of a leading Key Risk Indicator (KRI) for IT risk?

A.Percentage of systems with missing critical patches
B.Number of audit findings resolved
C.Number of security incidents this quarter
D.Total cost of security incidents
AnswerA

This is a leading indicator of potential future exploits.

Why this answer

A leading Key Risk Indicator (KRI) predicts future risk events by measuring conditions that precede incidents. Missing critical patches on systems directly indicate a higher likelihood of exploitation, making it a leading indicator. In contrast, lagging KRIs like incident counts or costs measure outcomes after the fact.

Exam trap

The trap here is confusing leading indicators (which predict risk) with lagging indicators (which measure past events), leading candidates to pick options like the number of security incidents or audit findings resolved, which are reactive rather than predictive.

How to eliminate wrong answers

Option B is wrong because the number of audit findings resolved is a lagging indicator that measures remediation activity after issues have been identified, not a predictor of future risk. Option C is wrong because the number of security incidents this quarter is a lagging KRI that reports past events, not a leading indicator of impending risk. Option D is wrong because the total cost of security incidents is a lagging financial metric that quantifies damage after incidents occur, offering no forward-looking risk prediction.

93
MCQhard

An organization wants to promote a risk-aware culture. Which initiative is most effective in encouraging employees to report security incidents without fear?

A.Conducting annual security awareness training
B.Implementing a no-blame incident reporting policy
C.Increasing penalties for policy violations
D.Publishing names of employees who caused incidents
AnswerB

This fosters an environment where employees feel safe to report issues.

Why this answer

A 'no-blame' culture encourages reporting by removing fear of punishment for unintentional errors, leading to better risk identification and learning.

94
MCQhard

A risk manager is evaluating the effectiveness of a control that requires dual authorization for high-value transactions. The Key Control Indicator (KCI) for this control is the rate of transactions processed without dual authorization (i.e., exception rate). If the acceptable exception rate is less than 1% and the observed rate is 2.5%, what is the most appropriate immediate action?

A.Investigate the root cause of the exceptions
B.Redesign the control immediately
C.Accept the risk since the rate is still low
D.Increase the acceptable exception rate to 2.5%
AnswerA

Root cause analysis is needed to determine why the control is failing.

Why this answer

The observed exception rate of 2.5% exceeds the acceptable threshold of 1%, indicating a control deficiency. The most appropriate immediate action is to investigate the root cause of the exceptions to determine whether the control is failing due to process gaps, user behavior, or system issues. Root cause analysis (RCA) is a foundational step before any remediation, as it prevents premature redesign or unjustified risk acceptance.

Exam trap

The trap here is that candidates may assume a 2.5% exception rate is still 'low' and choose to accept the risk (Option C), but CRISC emphasizes that any deviation from the acceptable threshold requires investigation and remediation, not automatic acceptance.

How to eliminate wrong answers

Option B is wrong because redesigning the control immediately without understanding why the exceptions occur could introduce new risks or waste resources on an ineffective solution; the control may only need tuning or enforcement. Option C is wrong because accepting a risk that exceeds the defined acceptable exception rate violates the risk appetite and policy, and 2.5% is not 'low' when the threshold is 1%. Option D is wrong because increasing the acceptable exception rate to match the observed rate eliminates the control's effectiveness and undermines the purpose of the KCI, which is to detect and reduce unauthorized transactions.

95
Multi-Selectmedium

A security awareness program is being designed to promote a risk-aware culture. Which TWO elements are most critical for the program's success?

Select 2 answers
A.Establishing a risk committee
B.Mandatory annual testing with pass/fail
C.Detailed technical training for all staff
D.Tone from the top
E.Communicating risk in business terms
AnswersD, E

Leadership sets the example and emphasizes importance.

Why this answer

Tone from the top demonstrates management commitment, and communicating risk in business terms ensures that employees understand the relevance to their roles. These are key to fostering a risk-aware culture.

96
MCQmedium

In the context of ERM integration, IT risk is typically considered a subset of which broader risk category?

A.Strategic risk
B.Financial risk
C.Compliance risk
D.Operational risk
AnswerD

Correct. IT risk is part of operational risk.

Why this answer

In Enterprise Risk Management (ERM) integration, IT risk is typically categorized as a subset of operational risk because it directly impacts the availability, integrity, and confidentiality of information systems and data, which are core operational assets. Operational risk encompasses failures in internal processes, people, and systems, and IT risk—such as system outages, data breaches, or software defects—falls squarely within this domain. This alignment is reinforced by frameworks like COSO and ISO 31000, which treat technology-related failures as operational risk events.

Exam trap

The trap here is that candidates confuse IT risk with compliance risk (Option C) because many IT failures have regulatory implications (e.g., GDPR breaches), but IT risk is fundamentally about operational continuity, not just legal adherence.

How to eliminate wrong answers

Option A is wrong because strategic risk involves high-level decisions that affect long-term business goals (e.g., market entry or M&A), not the day-to-day technology failures that IT risk addresses. Option B is wrong because financial risk focuses on market fluctuations, credit, and liquidity, whereas IT risk is about system reliability and security, not monetary instruments. Option C is wrong because compliance risk is a subset of operational risk that deals with legal and regulatory adherence, but IT risk is broader, covering non-compliance issues like system performance and availability.

97
MCQmedium

A vendor risk manager is tiering vendors based on the criticality of services and data access. A vendor that processes sensitive customer data for a core business application should be classified as which tier?

A.Critical
B.Low
C.Medium
D.High
AnswerA

Critical tier is for vendors with sensitive data and core services.

Why this answer

A vendor processing sensitive customer data for a core business application poses the highest potential impact on confidentiality, integrity, and availability. This aligns with the definition of a Critical tier, where failure or breach would cause severe business disruption, regulatory penalties, and reputational damage. The classification is driven by the combination of sensitive data access and the application's essential role in business operations.

Exam trap

The trap here is that candidates may confuse 'High' with 'Critical' because both imply significant risk, but CRISC defines Critical as the highest tier reserved for vendors whose failure would cause catastrophic business impact, often involving sensitive data and core processes simultaneously.

How to eliminate wrong answers

Option B is wrong because a Low tier is reserved for vendors with no access to sensitive data and minimal impact on business operations, which does not apply here. Option C is wrong because a Medium tier typically involves vendors with some data access but not to sensitive customer data, and their services are not core to business continuity. Option D is wrong because a High tier, while indicating significant risk, is often used for vendors with critical services but limited sensitive data access; the presence of both sensitive customer data and a core business application elevates the risk to Critical.

98
MCQhard

During a quarterly risk review, the CISO notes that the number of failed authentication attempts has increased by 300% over the last month. The IT team confirms no changes to authentication systems. This metric is BEST categorized as which of the following?

A.Key Performance Indicator (KPI)
B.Service Level Agreement (SLA) metric
C.Key Risk Indicator (KRI)
D.Key Control Indicator (KCI)
AnswerC

KRIs are leading indicators that indicate potential changes in risk exposure.

Why this answer

A Key Risk Indicator (KRI) is a metric used to signal a change in risk exposure. A 300% increase in failed authentication attempts, with no changes to the authentication system, strongly indicates a potential ongoing brute-force attack or credential stuffing campaign, directly elevating the risk of unauthorized access. This metric is not measuring performance (KPI), contractual service levels (SLA), or the effectiveness of a specific control (KCI), but rather a change in the risk landscape.

Exam trap

The trap here is confusing a KRI with a KPI or KCI because all three are metrics, but a KRI specifically measures changes in risk exposure (like a sudden spike in failed logins), not operational performance or control effectiveness.

How to eliminate wrong answers

Option A is wrong because a Key Performance Indicator (KPI) measures the efficiency or effectiveness of a process or system (e.g., average authentication response time), not a change in risk exposure. Option B is wrong because a Service Level Agreement (SLA) metric is a contractual target for service availability or performance (e.g., 99.9% uptime), not a leading indicator of security risk. Option D is wrong because a Key Control Indicator (KCI) measures the operational health or performance of a specific control (e.g., percentage of accounts with MFA enabled), whereas a spike in failed logins is a direct risk signal, not a control performance metric.

99
MCQeasy

Which of the following is a detective control?

A.Backup and recovery plan
B.Intrusion detection system (IDS)
D.Data encryption
AnswerB

IDS detects and alerts on potential intrusions.

Why this answer

Intrusion detection systems (IDS) monitor network traffic and alert on suspicious activity after it occurs.

100
MCQmedium

An organization is implementing a new access control system. Which of the following is the MOST important consideration during the implementation phase?

A.Control ownership assignment
B.User training
C.Change management
D.Documentation update
AnswerC

Change management ensures controlled implementation, reducing the risk of unintended consequences.

Why this answer

During the implementation phase of a new access control system, change management is the most critical consideration because it ensures that all changes to the authentication and authorization infrastructure are controlled, tested, and approved before deployment. Without a formal change management process, misconfigurations in protocols like LDAP, RADIUS, or SAML can lead to security gaps or service outages, making it the foundational control for a successful rollout.

Exam trap

The trap here is that candidates often confuse 'most important during implementation' with 'most important overall,' leading them to select user training or documentation, but CRISC emphasizes that uncontrolled changes introduce the highest risk of failure and security incidents during the deployment phase.

How to eliminate wrong answers

Option A is wrong because control ownership assignment is a governance activity that occurs during the design or planning phase, not during implementation; it defines who is accountable for the control after deployment, but does not address the immediate risks of introducing new technology. Option B is wrong because user training, while important for adoption, is a post-implementation or operational activity that does not mitigate the technical risks of misconfiguration or integration failure during the actual deployment of the access control system. Option D is wrong because documentation update is a supporting activity that should occur throughout the lifecycle, but it is not the most critical consideration during implementation; failing to update documentation does not directly cause security incidents or system downtime like a poorly managed change can.

101
MCQhard

An organization notices a spike in failed authentication attempts over the past week. This metric is best classified as which type of risk indicator?

A.Key Control Indicator (KCI)
B.Lagging indicator
C.Key Risk Indicator (KRI)
D.Compliance metric
AnswerC

KRIs are leading indicators that risk level is changing; failed authentication spike indicates potential attack.

Why this answer

A spike in failed authentication attempts is a direct measure of a risk condition (e.g., brute-force attacks or credential stuffing) that can lead to unauthorized access. This metric is best classified as a Key Risk Indicator (KRI) because it tracks changes in risk exposure over time, enabling proactive risk response. Unlike a KCI, which measures control effectiveness, or a lagging indicator, which reports past incidents, this metric signals an evolving threat in near real-time.

Exam trap

Cisco often tests the distinction between KRI and KCI by presenting a metric that could be interpreted as either, but the trap here is that failed authentication attempts directly measure risk exposure (KRI) rather than control performance (KCI), even though a control like account lockout might influence the metric.

How to eliminate wrong answers

Option A is wrong because a Key Control Indicator (KCI) measures the performance or effectiveness of a specific control (e.g., percentage of accounts with multi-factor authentication enabled), not the raw frequency of failed authentication attempts. Option B is wrong because a lagging indicator reports outcomes after they have occurred (e.g., number of successful breaches), whereas failed authentication attempts are a leading indicator of potential compromise. Option D is wrong because a compliance metric measures adherence to regulatory or policy requirements (e.g., password complexity rules), not the real-time operational risk of authentication failures.

102
MCQeasy

In a risk-aware culture, which of the following behaviors is MOST encouraged?

A.Focusing only on compliance requirements
B.Assigning blame to individuals for security breaches
C.Hiding minor incidents to maintain performance metrics
D.Reporting security incidents without fear of blame
AnswerD

Blame-free reporting promotes transparency and learning.

Why this answer

In a risk-aware culture, the primary goal is to encourage transparency and continuous improvement in risk management. Reporting security incidents without fear of blame (Option D) is most encouraged because it enables timely detection, analysis, and remediation of threats, directly supporting the Risk Response and Reporting domain by fostering an environment where incidents are escalated promptly rather than concealed.

Exam trap

The trap here is that candidates may confuse a risk-aware culture with a compliance-driven or blame-oriented culture, mistakenly thinking that strict accountability or adherence to rules is the primary driver, rather than the psychological safety that enables open incident reporting.

How to eliminate wrong answers

Option A is wrong because focusing only on compliance requirements ignores residual risks and emerging threats that are not covered by regulatory checklists, leading to a false sense of security. Option B is wrong because assigning blame to individuals for security breaches discourages reporting and shifts focus from systemic root-cause analysis to punitive measures, which undermines a learning culture. Option C is wrong because hiding minor incidents to maintain performance metrics violates the principle of transparency and can allow small issues to escalate into major breaches, compromising the organization's risk posture.

103
MCQeasy

Which of the following is the primary purpose of a risk heat map in a risk report?

A.To track compliance with regulations
B.To detail remediation plans
C.To prioritize risks based on likelihood and impact
D.To show control performance over time
AnswerC

Heat maps use likelihood and impact to rank risks, aiding prioritization.

Why this answer

A risk heat map visually plots risks on a grid based on their likelihood (probability) and impact (consequence), enabling stakeholders to quickly identify which risks require immediate attention. This prioritization is the primary purpose because it directly supports risk response decisions by highlighting high-priority risks that exceed the organization's risk appetite.

Exam trap

The trap here is that candidates often confuse a risk heat map with a control effectiveness dashboard, mistakenly thinking its purpose is to show control performance over time, when in fact it is solely a prioritization tool based on likelihood and impact.

How to eliminate wrong answers

Option A is wrong because tracking compliance with regulations is a function of compliance dashboards or audit reports, not a risk heat map, which focuses on risk prioritization rather than regulatory adherence. Option B is wrong because detailing remediation plans is the purpose of a risk treatment plan or action tracker, while a heat map only shows the current risk posture without prescribing specific remediation steps. Option D is wrong because showing control performance over time is the role of control effectiveness metrics or trend charts, whereas a heat map provides a static snapshot of risk levels at a point in time, not historical control performance.

104
MCQeasy

Which type of control is primarily designed to prevent an unwanted event from occurring?

A.Corrective control
B.Detective control
C.Directive control
D.Preventive control
AnswerD

Preventive controls aim to stop threats from happening.

Why this answer

Preventive controls are implemented to deter or avoid potential risks before they materialize.

105
Multi-Selecthard

An organization is implementing continuous monitoring for its critical systems. Which THREE of the following activities are examples of continuous monitoring? (Select three.)

Select 3 answers
A.Annual internal audit of access controls
B.Weekly vulnerability scanning of all servers
C.Real-time monitoring of firewall logs for anomalies
D.Automated correlation of security events via SIEM
E.Quarterly review of user access rights by managers
AnswersB, C, D

Weekly scanning can be considered continuous if automated.

Why this answer

Weekly vulnerability scanning of all servers is a continuous monitoring activity because it occurs at a regular, frequent interval, enabling the organization to identify and remediate vulnerabilities in a timely manner. This aligns with the principle of ongoing risk response and reporting, as it provides recurring visibility into the security posture of critical systems.

Exam trap

The trap here is that candidates often confuse periodic reviews (like quarterly or annual audits) with continuous monitoring, failing to recognize that continuous monitoring requires frequent, automated, or real-time data collection rather than infrequent manual checks.

106
MCQhard

A third-party vendor has been tiered as 'high risk' due to access to sensitive customer data. The vendor's SOC 2 Type II report has a qualified opinion on security controls. The vendor risk appetite requires unqualified SOC 2 Type II for critical vendors. What is the MOST appropriate risk response?

A.Accept the qualified report and continue monitoring
B.Implement additional compensating controls on the organization's side
C.Require the vendor to remediate the issues and provide an updated report within a defined timeframe
D.Downgrade the vendor to medium risk tier
AnswerC

This addresses the gap and aligns with risk appetite.

Why this answer

If a vendor does not meet the minimum security requirements for its tier, and the organization cannot accept the risk, the appropriate response is to remediate by requiring the vendor to address the qualification or find an alternative vendor that meets the requirements.

107
MCQhard

A key control indicator (KCI) for a critical access control shows a deficiency rate of 12% for the quarter, exceeding the target of 5%. Which of the following should be the risk practitioner's PRIMARY action?

A.Investigate root causes of the high deficiency rate
B.Escalate the deficiency to the board immediately
C.Implement compensating controls to reduce risk
D.Increase the frequency of control testing
AnswerA

Understanding why the control is failing is the primary step before any remediation or reporting.

Why this answer

The primary action is to investigate root causes because a KCI deficiency rate of 12% against a 5% target indicates a systemic control failure. Without understanding why the access control is failing (e.g., misconfigured role-based access control (RBAC) rules, stale user entitlements, or bypassed multi-factor authentication), any subsequent remediation may be ineffective. Root cause analysis ensures the risk practitioner addresses the underlying issue rather than applying a superficial fix.

Exam trap

The trap here is that candidates often choose 'implement compensating controls' or 'increase testing frequency' because they focus on immediate risk reduction, but the CRISC exam emphasizes that understanding the root cause is the foundational step before any remediation action.

How to eliminate wrong answers

Option B is wrong because escalating a 12% deficiency rate directly to the board without first performing root cause analysis bypasses the risk management process; the board requires actionable insights, not raw metrics. Option C is wrong because implementing compensating controls before understanding the root cause may introduce unnecessary complexity and cost, and could mask the real problem rather than solve it. Option D is wrong because increasing the frequency of control testing only provides more data points on the same failing control; it does not reduce the deficiency rate or address why the control is underperforming.

108
MCQmedium

The risk team is evaluating the cost-effectiveness of a proposed control that will reduce the annualized loss expectancy (ALE) for a cyber attack from $500,000 to $100,000. The annual cost of the control is $150,000. What is the net benefit of implementing this control?

A.$400,000
B.$250,000
C.$150,000
D.$350,000
AnswerB

Correct: $400,000 reduction minus $150,000 cost equals $250,000 net benefit.

Why this answer

The ALE reduction is $400,000. Subtracting the control cost of $150,000 gives a net benefit of $250,000.

109
Multi-Selectmedium

Which THREE of the following are components of an effective IT risk reporting structure for a large enterprise? (Select THREE)

Select 3 answers
A.Strategic risk reporting to the board on a semi-annual basis
B.Tactical risk reporting to the CISO on a quarterly basis
C.Annual risk reporting to IT operational staff
D.Daily risk reporting to the board
E.Operational risk reporting to IT management on a weekly basis
AnswersA, B, E

Strategic reporting provides high-level risk information for governance.

Why this answer

Strategic risk reporting to the board on a semi-annual basis is correct because the board requires high-level, aggregated risk information that aligns with enterprise strategy and risk appetite. Semi-annual reporting provides sufficient frequency for oversight without overwhelming the board with operational details, as mandated by governance frameworks like COBIT and ISO 31000.

Exam trap

The trap here is that candidates confuse the frequency and audience for risk reporting, assuming that more frequent reporting to higher levels is always better, when in fact the board needs less frequent, strategic summaries and operational staff need more frequent, detailed updates.

110
Multi-Selecthard

A company's IT risk manager is evaluating Key Risk Indicators (KRIs) for the cybersecurity function. Which TWO of the following are valid examples of leading KRIs?

Select 2 answers
A.System downtime due to security incidents
B.Patch lag metric for critical systems
C.Failed authentication spike detection
D.Number of audit findings related to access controls
E.Number of successful cyber attacks in the past quarter
AnswersB, C

Patch lag is a leading indicator of vulnerability risk.

Why this answer

Option B is correct because a patch lag metric measures the time taken to apply security patches to critical systems, which is a proactive indicator of potential vulnerability exposure before an exploit occurs. As a leading KRI, it predicts future security incidents by highlighting delayed remediation efforts, aligning with the CRISC focus on forward-looking risk indicators.

Exam trap

The trap here is confusing lagging indicators (which measure past events like downtime or audit findings) with leading indicators (which predict future risk), leading candidates to select outcome-based metrics like successful attacks instead of proactive measures like patch lag.

111
MCQmedium

An organization's risk report shows a risk heat map with several risks in the high-likelihood, high-impact quadrant. What is the most appropriate action for the risk owner?

A.Report to the board without any analysis
B.Ignore the risks as they are inherent
C.Accept the risk without further action
D.Evaluate current controls and consider additional treatment
AnswerD

This is the appropriate risk response.

Why this answer

Controls should be evaluated for effectiveness, and if inadequate, additional risk treatment options should be considered to reduce risk to an acceptable level.

112
MCQeasy

An organization is implementing a new access control system to prevent unauthorized access to sensitive data. Which type of control is being implemented?

A.Detective control
B.Compensating control
C.Preventive control
D.Corrective control
AnswerC

Correct. Preventive controls aim to stop incidents before they happen.

Why this answer

An access control system that prevents unauthorized access to sensitive data is a preventive control because it enforces security policies before access is granted. Technologies like mandatory access control (MAC) or role-based access control (RBAC) with Access Control Lists (ACLs) block unauthorized users at the point of entry, reducing the risk of data exposure.

Exam trap

The trap here is that candidates confuse preventive controls with detective controls because both involve monitoring, but preventive controls actively block access (e.g., firewall deny rules) while detective controls only log or alert after the fact.

How to eliminate wrong answers

Option A is wrong because detective controls, such as audit logs or intrusion detection systems, identify unauthorized access after it has occurred, not prevent it. Option B is wrong because compensating controls are alternative measures used when primary controls are not feasible, such as additional monitoring for legacy systems, not the primary access control system itself. Option D is wrong because corrective controls, like data restoration from backups or revoking compromised credentials, address damage after an incident, not prevent initial unauthorized access.

113
Multi-Selectmedium

A risk practitioner is evaluating the effectiveness of a security awareness program. Which TWO indicators would BEST measure whether the program is positively influencing risk culture? (Select TWO)

Select 2 answers
A.Time spent on training per employee
B.Number of security policies updated
C.Increase in reported phishing attempts by employees
D.Number of employees who completed training
E.Decrease in incidents caused by human error
AnswersC, E

Increased reporting indicates employees are more vigilant and willing to report.

Why this answer

An increase in reported phishing attempts indicates that employees are more vigilant and willing to report suspicious activity, which is a direct behavioral measure of a positive risk culture. A decrease in incidents caused by human error shows that the training has effectively changed behavior and reduced risk exposure. Both indicators reflect actual risk-aware actions rather than mere completion metrics.

Exam trap

The trap here is confusing activity-based metrics (time spent, completion rates) with outcome-based metrics (behavior change, incident reduction), which is a common CRISC pitfall when evaluating program effectiveness.

114
Multi-Selecthard

A multinational corporation is developing its IT risk reporting structure. The risk manager must align reports with different audiences. Which THREE of the following reporting frequencies and audiences are correctly matched?

Select 3 answers
A.Strategic risk reporting: semi-annual to the board
B.Operational risk reporting: weekly to IT management
C.Operational risk reporting: monthly to IT management
D.Tactical risk reporting: monthly to the board
E.Strategic risk reporting: weekly to the board
AnswersA, B, C

Strategic reports are semi-annual or annual to the board.

Why this answer

Option A is correct because strategic risk reporting, which addresses high-level enterprise risks and long-term objectives, is appropriately directed to the board of directors on a semi-annual basis. This frequency aligns with the board's oversight role and the need for periodic, aggregated risk insights without overwhelming them with operational details.

Exam trap

The trap here is that candidates confuse the appropriate audience and frequency for tactical versus strategic reporting, often assuming the board needs frequent updates, when in fact the board requires high-level, less frequent strategic reports, while operational and tactical reports are more frequent and directed to management.

115
Multi-Selectmedium

A risk practitioner is developing a tactical risk report for the CISO. Which TWO of the following elements should be included in the report? (Select TWO)

Select 2 answers
A.Long-term risk trend analysis
B.Risk heat map
C.Detailed log analysis from SIEM
D.Control performance metrics
E.Top risks and their status
AnswersD, E

Control performance is relevant for tactical management.

Why this answer

Tactical risk reporting typically includes control performance metrics and top risks with status. Risk heat maps and trend analyses are more strategic, and detailed logs are operational.

116
Multi-Selectmedium

A third-party vendor has been assessed as high risk due to its access to sensitive data. Which TWO ongoing monitoring activities are most appropriate for this vendor? (Select two.)

Select 2 answers
A.Daily manual review of vendor logs
B.Monthly conference calls with vendor management
C.Annual reassessment of security controls
D.Continuous monitoring via threat intelligence sharing platforms
E.Single initial onboarding assessment
AnswersC, D

Annual reassessment is typical for high-risk vendors.

Why this answer

Ongoing monitoring for high-risk vendors should include periodic reassessments and continuous monitoring via shared intelligence platforms. Annual reassessment is common, and continuous monitoring provides timely risk information.

117
Multi-Selectmedium

An organization is implementing a risk-aware culture. Which TWO of the following are effective practices?

Select 2 answers
A.Conduct annual security awareness training only.
B.Encourage incident reporting without fear of blame.
C.Provide incentives for risk identification.
D.Tone from top: leadership demonstrates commitment to risk management.
E.Blame individuals for incidents to deter future occurrences.
AnswersB, D

Psychological safety promotes reporting, strengthening culture.

Why this answer

Tone from top and incident reporting without blame are key to promoting a risk-aware culture. Security awareness training is also important, but the question asks for TWO practices, and these are most directly related to culture.

118
MCQeasy

Which risk reporting frequency is most appropriate for tactical risk reporting to the CISO/CIO?

A.Weekly
B.Monthly
C.Annually
D.Quarterly
AnswerD

Quarterly is standard for tactical reporting to senior IT management.

Why this answer

Tactical risk reporting typically occurs quarterly to provide a balance between timeliness and stability for management decision-making.

119
MCQmedium

A risk practitioner is performing a cost-benefit analysis for a proposed control. The annualized loss expectancy (ALE) for a risk is currently $500,000. The proposed control will reduce the ALE by 80%, and the annual cost of the control is $150,000. What is the net benefit of implementing the control?

A.$100,000
B.$250,000
C.$400,000
D.$350,000
AnswerB

Correct calculation.

Why this answer

The reduction in ALE is $500,000 × 0.80 = $400,000. The annual control cost is $150,000, so net benefit = $400,000 - $150,000 = $250,000.

120
MCQhard

An organization uses a SIEM to automatically test access control rules on a continuous basis. This is an example of which type of monitoring?

A.Continuous monitoring
B.Key Risk Indicator monitoring
C.Vulnerability scanning
D.Periodic control testing
AnswerA

SIEM-based automated testing runs continuously, providing real-time assurance.

Why this answer

A SIEM that automatically tests access control rules on a continuous basis performs ongoing validation of rule effectiveness and compliance. This is a classic example of continuous monitoring, where security controls are assessed in real-time or near-real-time without manual intervention, ensuring that access policies remain effective against evolving threats.

Exam trap

The trap here is confusing continuous monitoring with periodic control testing, as many candidates assume that any automated test must be a scheduled vulnerability scan, but the key differentiator is the 'continuous' nature versus scheduled intervals.

How to eliminate wrong answers

Option B is wrong because Key Risk Indicator (KRI) monitoring focuses on tracking specific risk metrics (e.g., number of failed logins) rather than directly testing the functionality of access control rules. Option C is wrong because vulnerability scanning identifies known software vulnerabilities (e.g., missing patches) in systems, not the correctness or enforcement of access control rules. Option D is wrong because periodic control testing occurs at scheduled intervals (e.g., quarterly audits), whereas the scenario explicitly states 'continuous basis', which implies ongoing, automated validation rather than discrete, scheduled tests.

121
MCQeasy

Which control implementation activity involves updating system configurations and user access rights when a new security tool is deployed?

A.User training
B.Project management
C.Documentation update
D.Change management
AnswerD

Change management governs updates to systems and configurations.

Why this answer

Deploying a new security tool requires updating system configurations and user access rights, which directly impacts the operational environment. Change management (Option D) is the formal process that governs these modifications to ensure they are authorized, tested, and documented, minimizing risk of disruption or security gaps. This aligns with the CRISC domain of Risk Response and Reporting, where controlled changes are a key risk mitigation activity.

Exam trap

The trap here is that candidates may confuse 'change management' with 'project management' because both involve planning and coordination, but change management specifically governs the technical alterations to configurations and access rights, whereas project management handles the broader initiative's logistics.

How to eliminate wrong answers

Option A is wrong because user training focuses on educating personnel on how to use the new tool, not on updating system configurations or access rights. Option B is wrong because project management oversees the overall deployment timeline, budget, and resources, but does not directly handle the technical updates to configurations and access controls. Option C is wrong because documentation update records the changes after they are made, but it is not the activity that performs the actual configuration and access right updates.

122
MCQeasy

An organization has implemented a new firewall rule to block malicious IP addresses. This is an example of which type of control?

A.Directive control
B.Preventive control
C.Corrective control
D.Detective control
AnswerB

Preventive controls aim to stop undesirable events from occurring.

Why this answer

A firewall rule that blocks malicious IP addresses is a preventive control because it proactively stops unauthorized traffic before it can reach the internal network. By filtering packets based on source IP addresses, the firewall enforces access control policies at the network layer, preventing potential attacks from ever being initiated. This aligns with the CRISC definition of preventive controls, which are designed to avoid or deter undesirable events.

Exam trap

The trap here is confusing preventive controls with detective controls, as candidates often think of firewalls as 'detecting' threats, but the key distinction is that a firewall rule actively blocks (prevents) traffic, not merely logs or alerts on it.

How to eliminate wrong answers

Option A is wrong because directive controls are policies, procedures, or guidelines that define acceptable behavior (e.g., an acceptable use policy), not technical mechanisms that block traffic. Option C is wrong because corrective controls are applied after an incident to restore operations (e.g., restoring from backup after a ransomware attack), not to block threats in real time. Option D is wrong because detective controls identify and log malicious activity after it has occurred (e.g., intrusion detection system alerts), whereas a firewall rule actively prevents the traffic from entering.

123
MCQmedium

An organization’s continuous monitoring program includes automated vulnerability scanning and log review. Which of the following is a Key Risk Indicator (KRI) that would BEST signal an increasing risk of a successful network breach?

A.Average time to patch critical vulnerabilities
B.Spike in failed authentication attempts from external IPs
C.Number of firewall rule changes per month
D.Percentage of systems with up-to-date antivirus signatures
AnswerB

A spike in failed authentication attempts is a leading indicator of a potential credential stuffing or brute force attack.

Why this answer

A KRI should be leading, indicating a change in risk level. A spike in failed authentication attempts often precedes a brute force attack or credential compromise, signaling increased risk of breach.

124
Multi-Selecteasy

An organization is implementing continuous monitoring for its network security controls. Which TWO of the following are examples of continuous monitoring techniques?

Select 2 answers
A.Annual access reviews
B.Annual vulnerability scanning
C.Quarterly control testing by internal audit
D.Automated control testing via SIEM rules
E.Weekly vulnerability scanning
AnswersD, E

SIEM rules provide real-time, continuous monitoring.

Why this answer

Option D is correct because automated control testing via SIEM rules enables real-time or near-real-time validation of security controls by correlating log data and triggering alerts on deviations. This is a core continuous monitoring technique because it operates on an ongoing basis without manual intervention, unlike periodic reviews or scans.

Exam trap

The trap here is that candidates confuse periodic activities (annual, quarterly, weekly) with continuous monitoring, failing to recognize that 'continuous' implies automated, real-time or near-real-time validation, not just frequent scheduled checks.

125
MCQeasy

The Chief Information Security Officer (CISO) receives a quarterly report that includes a risk heat map and trend analysis of top risks. This type of reporting is best described as:

A.Operational risk reporting
B.Strategic risk reporting
C.Tactical risk reporting
D.Compliance reporting
AnswerC

Tactical reporting is quarterly and aimed at CISO/CIO, covering heat maps and trends.

Why this answer

Tactical risk reporting is typically provided to senior IT management (CISO/CIO) on a quarterly basis and includes risk heat maps and trend analyses.

126
MCQhard

During a control implementation project, the risk manager discovers that the resource requirements have increased significantly, making the original cost-benefit analysis invalid. What should the risk manager do first?

A.Continue the project and request additional budget later
B.Escalate to the board for approval of additional funds
C.Cancel the project immediately
D.Perform a revised cost-benefit analysis
AnswerD

Reassessing the business case is the appropriate first step.

Why this answer

Before proceeding, the risk manager should reassess the cost-benefit analysis with updated costs to determine if the control is still justified.

127
MCQeasy

Which of the following is a detective control?

A.Intrusion detection system (IDS)
C.Backup and recovery procedure
D.Data encryption
AnswerA

IDS is a detective control.

Why this answer

Detective controls identify incidents after they occur. An intrusion detection system (IDS) monitors network traffic and alerts on suspicious activity, making it a detective control.

128
MCQhard

A Key Control Indicator (KCI) for a critical firewall rule set shows an exception rate of 12% over the past month, exceeding the acceptable threshold of 5%. The control owner is responsible for remediation. Which action should the risk practitioner recommend FIRST?

A.Temporarily disable the firewall rules causing exceptions
B.Implement an automated rule change management process
C.Update the KCI threshold to 12%
D.Conduct a root cause analysis of the exceptions
AnswerD

Root cause analysis is essential to identify why exceptions are occurring and to determine appropriate remediation.

Why this answer

The first step in addressing an elevated KCI is to investigate the root cause of the exceptions to determine if they are due to rule misconfigurations, policy violations, or other issues before taking corrective action.

129
Multi-Selectmedium

An organization is conducting a post-implementation review of a new data loss prevention (DLP) control. Which TWO metrics are Key Control Indicators (KCIs) that would best measure the control's effectiveness?

Select 2 answers
A.Cost of the DLP solution per year
B.Percentage of DLP policy violations that were not blocked
C.Average time to respond to DLP incidents
D.Number of DLP alerts generated per day
E.Number of authorized exceptions to DLP policies
AnswersB, E

This deficiency rate measures control failures.

Why this answer

Option B is correct because the percentage of DLP policy violations that were not blocked directly measures the control's failure rate—its inability to prevent unauthorized data exfiltration. A high percentage indicates ineffective policy configuration or insufficient detection coverage, making it a key control indicator (KCI) for effectiveness. Option E is correct because the number of authorized exceptions to DLP policies reflects how often the control is deliberately bypassed, which can indicate gaps in policy design or excessive risk acceptance, both of which undermine the control's intended effectiveness.

Exam trap

The trap here is that candidates confuse operational metrics (like alert volume or response time) with effectiveness metrics, failing to recognize that KCIs must directly measure whether the control is achieving its intended risk mitigation outcome, not just how much activity it generates.

130
MCQmedium

An organization is implementing a new access control system to protect sensitive data. Which type of control is most appropriate for preventing unauthorized access?

A.Detective control
B.Preventive control
C.Corrective control
D.Compensating control
AnswerB

Preventive controls are designed to stop unwanted events from occurring.

Why this answer

Preventive controls are designed to deter or prevent undesirable events from occurring. Access control systems are a classic example of preventive controls as they block unauthorized access before it happens.

131
Multi-Selecthard

A third-party vendor is classified as high risk due to its access to sensitive data. Which THREE activities should be part of ongoing monitoring for this vendor?

Select 3 answers
A.Contract compliance reviews to ensure terms are met.
B.Requiring SOC 2 Type II certification before contract signing.
C.Continuous monitoring via shared threat intelligence platforms.
D.Annual reassessment of the vendor's security posture.
E.Initial onboarding security questionnaire review.
AnswersA, C, D

Contract compliance is part of ongoing oversight.

Why this answer

Option A is correct because contract compliance reviews are a fundamental ongoing monitoring activity for high-risk vendors. They ensure the vendor continues to adhere to agreed-upon security controls, data handling procedures, and service-level agreements (SLAs) throughout the relationship, not just at onboarding. This is a continuous verification process, distinct from one-time checks.

Exam trap

The trap here is confusing pre-contract due diligence activities (like SOC 2 certification or initial questionnaires) with ongoing monitoring activities, leading candidates to select options that are valid but belong to a different phase of the vendor risk management lifecycle.

132
MCQmedium

A Key Control Indicator (KCI) for a firewall rule review process shows an exception rate of 15% for the past quarter, exceeding the acceptable threshold of 10%. What is the most appropriate immediate action for the control owner?

A.Investigate the root cause of the high exception rate
B.Increase the acceptable threshold to 20%
C.Replace the control with a different one
D.Escalate to the board immediately
AnswerA

Root cause analysis is the first step to address the issue.

Why this answer

A KCI exception rate exceeding the threshold indicates a process failure, not necessarily a control failure. The control owner must first perform root cause analysis to determine whether the exceptions are due to misconfigured rules, policy violations, or environmental changes before taking corrective action. This aligns with the CRISC principle that control owners are responsible for monitoring and improving control effectiveness through investigation.

Exam trap

Cisco often tests the misconception that exceeding a KCI threshold automatically requires escalation or control replacement, when in fact the immediate step is always root cause analysis to determine if the threshold breach is a temporary anomaly or a systemic issue.

How to eliminate wrong answers

Option B is wrong because arbitrarily increasing the threshold to 20% masks the underlying issue and violates the principle of maintaining risk appetite; thresholds should be based on risk tolerance, not adjusted to avoid alarms. Option C is wrong because replacing the control without understanding why exceptions occurred is premature and could introduce new risks; the existing control may be effective if the root cause is addressed. Option D is wrong because escalation to the board is reserved for material risk events or control failures that exceed the risk appetite after investigation; a 15% exception rate does not warrant board-level escalation as an immediate action.

133
Multi-Selecthard

An IT risk manager is developing KRIs for a critical application. Which TWO of the following are leading indicators that the risk level may be increasing? (Select TWO)

Select 2 answers
A.Average patch lag time increasing
B.Failed authentication spike
C.Audit findings of control deficiencies
D.Number of successful intrusions
E.Number of security incidents in the past month
AnswersA, B

Longer patch times increase the window of vulnerability.

Why this answer

Leading indicators predict future risk. A rising number of failed login attempts and an increase in average patch lag are leading indicators that signal potential attacks or increased vulnerability.

134
Multi-Selectmedium

A risk practitioner is designing a risk report for the board of directors. Which TWO content elements are most appropriate for strategic risk reporting? (Select two.)

Select 2 answers
A.Trend analysis of top key risk indicators
B.List of all control deficiencies
C.Names of employees who failed phishing tests
D.Risk heat map showing overall risk exposure
E.Detailed log analysis results
AnswersA, D

Trends help the board understand changing risk levels.

Why this answer

Trend analysis of top key risk indicators (KRIs) is appropriate for strategic risk reporting because it provides the board with a high-level, forward-looking view of how key risks are evolving over time. This enables informed decision-making on risk appetite and strategic direction without overwhelming directors with operational details.

Exam trap

The trap here is that candidates confuse operational reporting details (like control deficiencies or phishing test results) with strategic-level content, failing to recognize that the board requires aggregated, decision-useful summaries rather than granular data.

135
MCQeasy

An organization is implementing a new control to prevent unauthorized access to its critical database. Which type of control is most appropriate for this requirement?

A.Compensating control
B.Preventive control
C.Corrective control
D.Detective control
AnswerB

Preventive controls, like access controls and authentication mechanisms, stop unauthorized access before it happens.

Why this answer

A preventive control is the most appropriate because it directly stops unauthorized access before it can occur. For a critical database, this could involve implementing database-level access control lists (ACLs), network firewall rules restricting traffic to specific IP ranges, or mandatory multi-factor authentication (MFA) on the database service. These mechanisms enforce the security policy at the point of entry, blocking the threat actor before any interaction with the data.

Exam trap

The trap here is that candidates often confuse 'preventive' with 'detective' controls, mistakenly choosing detective controls (like logging) because they are more visible in audit reports, but the question explicitly asks for a control that 'prevents' access, which requires a proactive blocking mechanism.

How to eliminate wrong answers

Option A is wrong because a compensating control is an alternative measure used when the primary control cannot be implemented due to technical or business constraints, not the first choice for a direct requirement like preventing unauthorized access. Option C is wrong because a corrective control (e.g., restoring a database from a backup after a breach) acts after an incident has occurred, failing to meet the requirement to prevent access in the first place. Option D is wrong because a detective control (e.g., database audit logs or intrusion detection systems) only identifies unauthorized access after it has happened, providing no proactive prevention.

136
MCQmedium

An organization wants to promote a risk-aware culture. Which of the following actions is MOST effective for encouraging employees to report incidents without fear?

A.Reward employees for zero incidents
B.Establish a non-punitive incident reporting policy
C.Implement automated monitoring tools
D.Conduct security awareness training annually
AnswerB

This explicitly encourages reporting without blame.

Why this answer

A blame-free environment encourages reporting by reducing fear of punishment.

137
MCQmedium

An organization is implementing a continuous monitoring solution for its network. Which of the following is an example of continuous monitoring?

A.Monthly control testing by internal audit
B.Annual penetration testing
C.Quarterly access reviews
D.Daily automated vulnerability scanning
AnswerD

Daily scanning is continuous monitoring.

Why this answer

Automated vulnerability scanning is a continuous monitoring activity that provides ongoing visibility into security posture.

138
MCQmedium

An organization is implementing a new access control system. Which of the following is the most important activity to ensure the control is effectively integrated into operations?

A.Updating relevant documentation
B.Assigning control ownership
C.Performing a cost-benefit analysis
D.Conducting a post-implementation review
AnswerA

Documentation ensures consistent understanding and application of the control.

Why this answer

Updating relevant documentation ensures that the new access control system's configuration, operational procedures, and troubleshooting steps are formally recorded and accessible to the operations team. Without accurate documentation, the control cannot be consistently maintained, monitored, or recovered during incidents, making it ineffective in day-to-day operations. This activity directly integrates the control into the operational lifecycle by providing a single source of truth for administrators.

Exam trap

The trap here is that candidates often mistake assigning control ownership as the most critical integration step, but ownership without documented operational procedures leaves the control vulnerable to human error and inconsistent management.

How to eliminate wrong answers

Option B is wrong because assigning control ownership identifies accountability but does not provide the procedural details needed for daily operation; ownership alone cannot ensure the control is operated correctly. Option C is wrong because a cost-benefit analysis is a pre-implementation decision tool, not an operational integration activity; it does not affect how the control is run after deployment. Option D is wrong because a post-implementation review validates the control's effectiveness and identifies improvements, but it is a one-time assessment rather than an ongoing operational integration step; documentation is the foundational activity that enables consistent operation.

139
MCQmedium

Which of the following is a Key Control Indicator (KCI) that measures the effectiveness of a control?

A.Control exception rate
B.Number of risk events in the last quarter
C.Time since last audit
D.Percentage of employees who completed security awareness training
AnswerA

A high exception rate indicates control failures.

Why this answer

A KCI measures how well a control is performing. The exception rate for a control (e.g., percentage of transactions that bypass a required approval) directly indicates control deficiencies.

140
MCQmedium

Which of the following is the primary purpose of a Key Risk Indicator (KRI)?

A.Measure the effectiveness of controls
B.Document historical incidents
C.Comply with regulatory requirements
D.Provide early warning of changing risk levels
AnswerD

Correct. KRIs indicate risk trends.

Why this answer

The primary purpose of a Key Risk Indicator (KRI) is to provide an early warning of changing risk levels, enabling proactive risk management before an adverse event occurs. KRIs track specific metrics that signal shifts in risk exposure, such as the number of unpatched critical vulnerabilities or failed login attempts, allowing organizations to adjust controls or resources in advance. This forward-looking function distinguishes KRIs from lagging indicators like control effectiveness metrics or incident logs.

Exam trap

The trap here is that candidates confuse KRIs with KPIs or control metrics, mistakenly thinking KRIs measure control effectiveness (Option A) rather than providing early warning of risk changes.

How to eliminate wrong answers

Option A is wrong because measuring the effectiveness of controls is the purpose of Key Performance Indicators (KPIs) or control testing, not KRIs; KRIs focus on risk exposure changes, not control performance. Option B is wrong because documenting historical incidents is the role of incident logs or post-mortem reports, whereas KRIs are forward-looking and designed to predict rather than record past events. Option C is wrong because while KRIs may support regulatory compliance indirectly, their primary purpose is not compliance; compliance requirements are met through specific control frameworks and reporting, not through the early-warning function of KRIs.

141
MCQeasy

What is the primary purpose of a risk heat map in IT risk reporting?

A.Show control performance metrics
B.Display risk trends over time
C.Provide a visual representation of risk levels
D.List upcoming risk events
AnswerC

Heat maps use color coding to indicate risk severity.

Why this answer

A risk heat map visualizes risks based on likelihood and impact, helping prioritize attention.

142
MCQeasy

An organization wants to promote a risk-aware culture. Which initiative best supports this goal?

A.Focusing only on technical controls
B.Limiting risk awareness training to IT staff
C.Punishing employees who cause security incidents
D.Encouraging incident reporting without blame
AnswerD

Correct. This promotes a learning culture.

Why this answer

Encouraging incident reporting without blame directly supports a risk-aware culture by removing the fear of punishment, which motivates employees to report issues promptly. This allows the organization to identify and respond to risks early, rather than hiding them, and aligns with the risk response principle of learning from incidents to improve controls.

Exam trap

The trap here is that candidates may confuse a risk-aware culture with strict enforcement or technical fixes, but CRISC emphasizes that culture is built on trust and open communication, not punishment or siloed training.

How to eliminate wrong answers

Option A is wrong because focusing only on technical controls ignores the human and cultural factors that are essential for a risk-aware culture; technical controls alone cannot address behavioral risks like failure to report incidents. Option B is wrong because limiting risk awareness training to IT staff excludes other departments (e.g., finance, HR, operations) that also handle sensitive data and face risks, creating blind spots in the organization's risk posture. Option C is wrong because punishing employees who cause security incidents discourages reporting, leading to hidden risks and missed opportunities for root cause analysis, which undermines a proactive risk culture.

143
MCQmedium

A risk manager is evaluating the cost-effectiveness of a proposed control. The control costs $50,000 annually to implement and maintain. The current annual loss expectancy (ALE) for the risk is $200,000, and the control is expected to reduce the ALE by 70%. What is the net benefit (or loss) of implementing the control?

A.Net benefit of $90,000
B.Net loss of $10,000
C.Net benefit of $140,000
D.Net loss of $50,000
AnswerA

The reduction in ALE exceeds the control cost by $90,000.

Why this answer

The ALE reduction is $200,000 * 70% = $140,000. The annual cost of control is $50,000. Net benefit = $140,000 - $50,000 = $90,000.

144
MCQhard

An organization uses Key Control Indicators (KCIs) to measure the effectiveness of its firewall change management process. Which KCI would best indicate a process deficiency?

A.Exception rate for changes not following the standard process
B.Percentage of changes approved by the change advisory board
C.Average time to implement a change
D.Number of firewall rules added per month
AnswerA

Correct. A high exception rate suggests the control is not being followed.

Why this answer

A high exception rate indicates that changes are frequently bypassing the standard process, signaling a control weakness.

145
MCQeasy

Which of the following is the BEST example of promoting a risk-aware culture within an organization?

A.Implementing strict penalties for security violations
B.Assigning risk ownership to IT only
C.Encouraging incident reporting without blame
D.Conducting annual security training
AnswerC

This fosters open communication and learning from mistakes, key to risk culture.

Why this answer

Option C is correct because a blame-free incident reporting culture is the foundation of a risk-aware environment. When employees feel safe to report errors or near-misses without fear of punishment, the organization can collect accurate data on control weaknesses and emerging threats, enabling proactive risk response. This aligns with the COBIT 5 principle of fostering a culture of openness and learning, which is essential for effective risk management.

Exam trap

Cisco often tests the misconception that punitive measures or compliance-focused training create a risk-aware culture, when in reality, a blame-free reporting environment is the key enabler for continuous risk identification and improvement.

How to eliminate wrong answers

Option A is wrong because strict penalties for security violations create a culture of fear, which discourages incident reporting and drives issues underground, undermining risk awareness and learning. Option B is wrong because assigning risk ownership exclusively to IT ignores that risk is a business-wide concern; effective risk management requires ownership across all departments, including legal, finance, and operations. Option D is wrong because annual security training, while important, is a periodic compliance activity that does not by itself embed continuous risk awareness into daily behaviors or encourage proactive reporting of incidents.

146
MCQhard

A Key Risk Indicator (KRI) for vulnerability management is the "average patch lag time" (number of days between patch release and deployment). In the last month, this metric increased from 15 days to 45 days. How should the risk practitioner interpret this change?

A.The KRI is not relevant because patch lag is a control indicator, not a risk indicator.
B.The risk level has decreased because patches are being evaluated more thoroughly.
C.The risk level remains unchanged because patch lag is a lagging indicator.
D.The risk level has increased because exposure to known vulnerabilities has grown.
AnswerD

Longer exposure increases risk.

Why this answer

An increase in patch lag indicates that vulnerabilities remain unpatched longer, increasing the likelihood of exploitation. This is a leading indicator of rising risk.

147
MCQhard

An organization uses a Key Risk Indicator (KRI) that tracks the average number of days to patch critical vulnerabilities. The KRI has been trending upward over the last three months, from 15 days to 30 days, while the risk appetite threshold is 20 days. Which conclusion is most appropriate?

A.The patching process is effective because the KRI is still below 60 days
B.The KRI should be replaced with a lagging indicator
C.The vulnerability risk is increasing and requires management attention
D.The risk is within appetite because the increase is gradual
AnswerC

The KRI breach and trend indicate rising risk.

Why this answer

Since the KRI has exceeded the threshold and is trending upward, the risk level is increasing, requiring attention from management.

148
MCQmedium

An organization is integrating IT risk into its enterprise risk management (ERM) program. What is the primary benefit of this integration?

A.It allows IT to operate independently
B.It eliminates all IT risks
C.It reduces the need for IT controls
D.It ensures IT risks are viewed in the context of business objectives
AnswerD

This is the primary benefit of integration.

Why this answer

Integrating IT risk into enterprise risk management (ERM) ensures that IT risks are evaluated in the context of business objectives, enabling prioritization of risk responses that align with strategic goals. This alignment prevents IT from operating in a silo and ensures that risk decisions support overall business value, not just technical compliance.

Exam trap

The trap here is that candidates mistakenly think integration means IT risks are eliminated or that IT can ignore business context, when in fact integration demands that IT risks be translated into business impact terms to drive appropriate control decisions.

How to eliminate wrong answers

Option A is wrong because integrating IT risk into ERM requires IT to align with business objectives, not operate independently; independence would create silos and increase misalignment. Option B is wrong because no risk management process can eliminate all IT risks; residual risk always remains, and the goal is to manage risk to an acceptable level, not zero. Option C is wrong because integration typically increases the need for well-designed IT controls to address risks that are now visible in the business context; reducing controls would increase exposure.

149
MCQhard

A Key Risk Indicator (KRI) for a critical system is the number of unpatched vulnerabilities older than 30 days. The threshold is set at 5. This KRI is best described as:

A.A Key Control Indicator (KCI)
B.A leading indicator of vulnerability risk
C.A measure of residual risk
D.A lagging indicator of control effectiveness
AnswerB

It indicates that patch management is behind schedule, increasing risk.

Why this answer

This KRI measures the time lag in patching, which is a leading indicator of increasing vulnerability risk. It signals that the risk level is changing before an actual exploit occurs.

150
MCQhard

A company is implementing a new access control system. During the project, the IT team updates the system configuration without notifying the risk team. This leads to a temporary misconfiguration that exposes sensitive data. Which process should have been followed to prevent this issue?

A.Control design approval
B.Continuous monitoring
C.Change management process
D.Vendor risk assessment
AnswerC

Change management would have required notification and review before the update.

Why this answer

Change management ensures that modifications to systems are authorized, reviewed, and communicated to relevant stakeholders to avoid unintended consequences.

← PreviousPage 2 of 3 · 160 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Crisc Risk Response questions.