CCNA Crisc Risk Response Questions

10 of 160 questions · Page 3/3 · Crisc Risk Response topic · Answers revealed

151
MCQmedium

During a quarterly control effectiveness test, internal audit finds that a detective control missed 15% of security incidents. The control owner claims this is within the acceptable error rate of 20%. However, the risk practitioner notes that the missed incidents were high-severity. What should the risk practitioner do?

A.Accept the control as effective since it is within the threshold
B.Escalate the findings to senior management with a recommendation to enhance the control
C.Implement a compensating control to cover high-severity incidents
D.Recommend revising the KCI threshold to include severity weighting
AnswerB

Escalation ensures that the risk associated with missed high-severity incidents is communicated to decision-makers.

Why this answer

The risk practitioner should escalate the findings to senior management with a recommendation to enhance the control because the detective control's failure to detect 15% of incidents, while within the 20% acceptable error rate, specifically missed high-severity incidents. High-severity incidents pose a disproportionate risk to the organization, and a control that fails to detect them is not effective in mitigating critical risks, regardless of meeting a generic threshold. Escalation ensures that management is aware of the residual risk and can authorize appropriate enhancements, such as tuning the control's detection logic or implementing additional monitoring for high-severity events.

Exam trap

Cisco often tests the misconception that meeting a quantitative KCI threshold automatically means a control is effective, without considering the qualitative severity of the incidents missed.

How to eliminate wrong answers

Option A is wrong because accepting the control as effective based solely on the 20% threshold ignores the materiality of the missed incidents; a control that misses high-severity incidents is not effective for risk management, even if it meets a quantitative KCI. Option C is wrong because implementing a compensating control is a tactical response that should be directed by management after escalation, not a first action by the risk practitioner, and it bypasses the need to address the root cause of the control's failure to detect high-severity incidents. Option D is wrong because revising the KCI threshold to include severity weighting is a metric adjustment that does not directly address the immediate control deficiency; the practitioner must first report the finding to management, who can then decide on metric changes as part of a broader remediation plan.

152
MCQmedium

A risk manager is evaluating a control that addresses a high-risk finding from an internal audit. Which of the following is the MOST important factor in determining whether the control is effective?

A.The vendor's reputation for providing reliable security solutions
B.Key control indicators (KCIs) such as control deficiency rate and test results
C.The cost of the control relative to the asset value
D.The control's alignment with industry best practices
AnswerB

KCIs measure actual control performance and are the most direct indicators of effectiveness.

Why this answer

B is correct because the effectiveness of a control is determined by its ability to reduce risk to an acceptable level, which is directly measured by key control indicators (KCIs) such as the control deficiency rate and test results. These metrics provide empirical evidence of whether the control is operating as intended and mitigating the identified high-risk finding. Without such performance data, any assessment of effectiveness is speculative.

Exam trap

The trap here is that candidates often confuse 'alignment with best practices' (Option D) with proof of effectiveness, but CRISC requires evidence of actual control performance, not just theoretical compliance.

How to eliminate wrong answers

Option A is wrong because a vendor's reputation does not guarantee that the specific control implementation is effective in the organization's unique environment; effectiveness must be validated through actual testing and monitoring. Option C is wrong because cost relative to asset value is a factor in cost-benefit analysis, not a direct measure of control effectiveness; a low-cost control can be effective, and a high-cost control can fail. Option D is wrong because alignment with industry best practices is a design consideration, not a proof of operational effectiveness; a control may follow best practices but still have implementation flaws or be insufficient for the specific risk context.

153
Multi-Selectmedium

An organization is integrating IT risk into its enterprise risk management (ERM) program. Which TWO of the following are key benefits of this integration?

Select 2 answers
A.Reduces the overall risk appetite of the organization
B.Eliminates the need for separate IT risk reporting
C.Guarantees that all IT risks are mitigated
D.Ensures IT risk is considered in strategic decisions
E.Provides a consistent risk language across the organization
AnswersD, E

Integration ensures IT risk is part of enterprise-level decisions.

Why this answer

Integrating IT risk into ERM allows for a holistic view of risk and ensures IT risk is considered alongside other operational risks.

154
MCQmedium

A critical vendor is being onboarded. The vendor risk appetite policy requires SOC 2 Type II reports for critical vendors. The vendor has provided a SOC 2 Type I report. What should the risk manager do?

A.Request a SOC 2 Type II report from the vendor
B.Downgrade the vendor to a lower tier
C.Exempt the vendor from the requirement
D.Accept the Type I report as sufficient
AnswerA

Correct: the policy requires Type II for critical vendors.

Why this answer

SOC 2 Type II covers controls over a period, providing more assurance than Type I. The requirement is Type II, so the vendor should be asked to provide it.

155
MCQhard

A risk practitioner is designing a quarterly IT risk report for the CISO. Which of the following elements is MOST critical for tactical decision-making?

A.Top risks and status
B.Risk heat map
C.Upcoming risk events
D.Control performance metrics
AnswerD

These metrics (e.g., deficiency rates, test results) enable the CISO to make decisions about control improvements.

Why this answer

Control performance metrics (D) are most critical for tactical decision-making because they provide quantifiable, real-time data on how well existing security controls are operating. Tactical decisions require immediate, actionable insights—such as whether a firewall rule is blocking 95% of malicious traffic or if a patch management process is meeting its 30-day SLA—rather than high-level summaries or future projections. Without control metrics, the CISO cannot assess the effectiveness of current defenses or prioritize remediation efforts.

Exam trap

Cisco often tests the distinction between strategic, tactical, and operational reporting levels, and the trap here is that candidates confuse a risk heat map (a common visual tool) with actionable data, when in fact it is a strategic summary that lacks the control-specific metrics needed for tactical decisions.

How to eliminate wrong answers

Option A is wrong because 'top risks and status' is a strategic summary that informs long-term risk appetite and governance, not the granular, operational data needed for day-to-day tactical adjustments. Option B is wrong because a risk heat map provides a static, aggregated view of risk levels at a point in time, lacking the dynamic, control-specific performance data required for immediate tactical responses. Option C is wrong because 'upcoming risk events' are forward-looking and relevant for planning, but they do not reflect the current state of control effectiveness, which is essential for tactical decisions like reallocating resources or tuning controls.

156
MCQmedium

Which of the following is the BEST Key Control Indicator (KCI) for measuring the effectiveness of a firewall?

A.Percentage of blocked intrusion attempts
B.Time since last firewall firmware update
C.Number of firewall rule changes per month
D.Number of firewall alerts generated
AnswerA

This directly measures how well the firewall is performing its preventive function.

Why this answer

The percentage of blocked intrusion attempts directly measures how effectively the firewall is enforcing its security policies to prevent unauthorized access. A high block rate indicates the firewall is correctly identifying and stopping threats, making it the most direct KCI for firewall effectiveness.

Exam trap

The trap here is confusing operational metrics (like patch age or change volume) with direct effectiveness metrics, leading candidates to choose a maintenance or activity indicator instead of a performance-based KCI.

How to eliminate wrong answers

Option B is wrong because time since last firmware update measures maintenance hygiene, not operational effectiveness; a firewall can be fully patched but still misconfigured. Option C is wrong because the number of rule changes per month measures administrative churn, not how well the firewall blocks threats; many changes could indicate instability or poor design. Option D is wrong because the number of alerts generated measures noise or volume, not effectiveness; a high alert count could result from false positives or benign traffic, not actual intrusion prevention.

157
MCQeasy

When integrating IT risk into the enterprise risk management (ERM) program, what is the PRIMARY benefit?

A.Improved compliance with IT standards
B.Reduced IT operational costs
C.Increased frequency of risk assessments
D.Better alignment of IT risk with business objectives
AnswerD

Integration ensures IT risks are managed in line with enterprise goals.

Why this answer

Integrating IT risk into ERM ensures that IT risk decisions are directly linked to business strategy and objectives, enabling leadership to prioritize risks that could impact critical business outcomes. This alignment is the primary benefit because it transforms IT risk from a technical concern into a strategic business driver, facilitating better resource allocation and governance.

Exam trap

The trap here is that candidates confuse operational benefits (cost reduction, compliance, or process frequency) with the strategic benefit of business alignment, which is the core purpose of integrating IT risk into ERM.

How to eliminate wrong answers

Option A is wrong because improved compliance with IT standards is a secondary outcome, not the primary benefit; compliance supports risk management but does not inherently align IT risk with business goals. Option B is wrong because reducing IT operational costs is a potential operational efficiency gain, not the core purpose of ERM integration, which focuses on strategic risk alignment rather than cost-cutting. Option C is wrong because increased frequency of risk assessments is a tactical process change that does not guarantee better business alignment; ERM integration prioritizes relevance and decision-making over assessment cadence.

158
MCQhard

During a third-party risk assessment, a vendor is classified as 'critical' due to its access to sensitive customer data. According to the organization's vendor risk appetite, what is the minimum security requirement for this vendor?

A.SOC 2 Type II report
B.Annual compliance attestation
C.Penetration test results from the vendor
D.Self-assessment questionnaire only
AnswerA

Correct. This is a common requirement for high-risk vendors.

Why this answer

A SOC 2 Type II report is the minimum security requirement for a critical vendor because it provides an independent audit of controls over security, availability, processing integrity, confidentiality, and privacy over a period of time (typically 6–12 months). This aligns with the organization's risk appetite for sensitive customer data, as it offers more assurance than a point-in-time assessment or self-report.

Exam trap

The trap here is that candidates often choose penetration test results (Option C) thinking they are the most technical and thorough, but fail to recognize that for critical vendors, ongoing control effectiveness over time (SOC 2 Type II) is more aligned with risk appetite than a single point-in-time test.

How to eliminate wrong answers

Option B is wrong because an annual compliance attestation is a self-declaration without independent verification, which is insufficient for a critical vendor handling sensitive customer data. Option C is wrong because penetration test results, while valuable, are point-in-time and do not cover the breadth of operational controls (e.g., access management, encryption) that a SOC 2 Type II report addresses. Option D is wrong because a self-assessment questionnaire relies solely on the vendor's own assertions and lacks the objectivity and rigor required for critical vendors.

159
Multi-Selecthard

A financial services company is implementing a vendor risk management program. Which THREE of the following are key components of an effective vendor risk assessment process? (Select THREE)

Select 3 answers
A.Contract compliance reviews
B.Ongoing monitoring via annual reassessments
C.Review of vendor's cyber insurance policy
D.Initial onboarding assessment including security questionnaires
E.Vendor self-assessment without validation
AnswersA, B, D

Ensuring vendors meet contractual security requirements is essential.

Why this answer

Contract compliance reviews (A) are a key component because they verify that vendors are meeting agreed-upon service level agreements (SLAs), security clauses, and regulatory requirements. This ensures that contractual obligations, such as data protection standards and incident response timelines, are being enforced and that any deviations are identified and remediated. Without this review, the organization cannot confirm that the vendor's actual practices align with the risk posture agreed upon during onboarding.

Exam trap

The trap here is that candidates often confuse risk transfer mechanisms (like cyber insurance) with risk assessment activities, leading them to select option C, when in fact insurance does not evaluate the vendor's actual security posture or operational risk.

160
MCQhard

An organization uses a Key Control Indicator (KCI) to measure control effectiveness. The KCI shows a control deficiency rate of 12% over the past quarter, exceeding the target threshold of 5%. Which action is MOST appropriate as an initial response?

A.Report the deficiency to the board for oversight
B.Increase the frequency of control testing to monthly
C.Immediately replace the control with a more robust one
D.Conduct a root cause analysis of the deficiencies
AnswerD

Understanding why the control is failing is essential before implementing corrective actions.

Why this answer

A high deficiency rate indicates the control is not working as intended. The first step is to investigate root causes to determine necessary remediation.

← PreviousPage 3 of 3 · 160 questions total

Ready to test yourself?

Try a timed practice session using only Crisc Risk Response questions.

CCNA Crisc Risk Response Questions — Page 3 of 3 | Courseiva