CCNA It Risk Assessment Questions

55 of 130 questions · Page 2/2 · It Risk Assessment topic · Answers revealed

76
Multi-Selecteasy

Which TWO outcomes indicate that a risk assessment process is effective?

Select 2 answers
A.All potential risks have been identified.
B.Risk treatment decisions are based on clear, prioritized findings.
C.Residual risk is consistently below the risk appetite.
D.No negative risk events occur after the assessment.
E.The organization achieves full compliance with security standards.
AnswersB, C

Effective assessment produces actionable priorities.

Why this answer

Option B is correct because an effective risk assessment must produce prioritized findings that directly inform risk treatment decisions. Without clear prioritization (e.g., based on inherent risk scores or likelihood/impact ratings), the organization cannot allocate resources efficiently or select appropriate controls. The CRISC framework emphasizes that the output of risk assessment is actionable intelligence, not just a list of risks.

Exam trap

The trap here is that candidates confuse the goal of risk assessment (producing prioritized, decision-ready findings) with other risk management activities like risk identification (A), risk monitoring (D), or compliance (E), leading them to select options that sound desirable but do not directly measure assessment effectiveness.

77
Multi-Selectmedium

Which TWO of the following are valid triggers for initiating a risk assessment outside the regular cycle? (Select 2)

Select 2 answers
A.An employee completing annual security awareness training
B.A significant change in the IT infrastructure
C.Introduction of a new regulatory requirement
D.The annual internal audit of financial controls
E.Completion of a routine security patch cycle
AnswersB, C

Changes introduce new risks and require reassessment.

Why this answer

A significant change in IT infrastructure (Option B) is a classic trigger for ad-hoc risk assessment because it introduces new vulnerabilities, alters the attack surface, or changes the effectiveness of existing controls. For example, migrating from on-premises servers to a cloud environment (e.g., AWS, Azure) changes network segmentation, identity management, and data residency, requiring a fresh risk evaluation to identify and treat new threats before they are exploited.

Exam trap

ISACA often tests the distinction between routine, scheduled activities (like training, audits, or patching) and genuine change events that alter the risk profile, tricking candidates into selecting familiar operational tasks as triggers.

78
MCQmedium

During a risk assessment, the risk practitioner discovers that a critical database does not have an active failover solution. The database is used by multiple business applications. Which of the following factors should be given the HIGHEST weight when determining the inherent risk level?

A.The criticality of the database to business operations
B.The number of existing compensating controls
C.The frequency of vulnerability scans
D.The cost to restore the database from backup
AnswerA

Inherent risk is based on the asset's value and exposure; business criticality determines impact.

Why this answer

The inherent risk level is determined by the potential impact and likelihood of a threat exploiting a vulnerability, without considering controls. The criticality of the database to business operations directly drives the impact severity—if the database fails, multiple business applications could be disrupted, leading to significant operational and financial damage. This makes option A the highest-weighted factor because it defines the worst-case consequence, which is the foundation of inherent risk.

Exam trap

The trap here is that candidates confuse inherent risk with residual risk, and incorrectly weigh compensating controls or recovery costs as primary factors for inherent risk, when they only apply after controls are considered.

How to eliminate wrong answers

Option B is wrong because compensating controls are considered when assessing residual risk, not inherent risk; inherent risk assumes no controls are in place. Option C is wrong because the frequency of vulnerability scans is a control activity that reduces risk, not a factor that increases or defines inherent risk. Option D is wrong because the cost to restore from backup is a recovery metric (RTO/RPO) that influences residual risk or risk treatment decisions, not the inherent risk level, which focuses on the raw exposure before any mitigation.

79
MCQmedium

After a security incident, an organization discovers that a critical database was accessed by an unauthorized user due to weak authentication controls. As part of the IT risk assessment process, which step should have identified this vulnerability?

A.Risk treatment
B.Risk monitoring
C.Risk identification
D.Risk evaluation
AnswerC

Risk identification is the step that identifies vulnerabilities.

Why this answer

Risk identification is the step in the IT risk assessment process where potential vulnerabilities, such as weak authentication controls, are systematically discovered and documented. In this scenario, the weak authentication that allowed unauthorized database access should have been identified during risk identification, which involves cataloging assets, threats, and existing controls. This step precedes any treatment, monitoring, or evaluation activities.

Exam trap

The trap here is that candidates confuse risk identification with risk evaluation or risk treatment, mistakenly thinking that evaluating the impact of a weak control or treating it after discovery is the same as initially finding the vulnerability.

How to eliminate wrong answers

Option A is wrong because risk treatment involves selecting and implementing controls to mitigate identified risks, not discovering vulnerabilities; the weak authentication would have already needed to be known before treatment could occur. Option B is wrong because risk monitoring is a continuous process of tracking identified risks and control effectiveness over time, not the initial step to find a vulnerability like weak authentication. Option D is wrong because risk evaluation compares the level of risk against risk criteria to prioritize treatment, but it assumes the vulnerability has already been identified; it does not discover new vulnerabilities.

80
MCQeasy

During a risk assessment of a web application, the risk owner identifies that the application uses outdated encryption algorithms. What is the most appropriate next step?

A.Escalate the issue to senior management for approval to accept the risk.
B.Accept the risk without action because encryption is not critical.
C.Document the finding in the risk register and assign a remediation timeline.
D.Immediately patch the application to use modern encryption without further analysis.
AnswerC

Proper documentation ensures the risk is tracked and addressed.

Why this answer

Option C is correct because the risk owner has identified a specific vulnerability (outdated encryption algorithms) that must be formally recorded in the risk register. The next step is to document the finding and assign a remediation timeline, which aligns with the risk assessment process of treating identified risks. This ensures the issue is tracked, prioritized, and addressed within the organization's risk management framework, rather than being escalated, ignored, or patched without analysis.

Exam trap

The trap here is that candidates may confuse the immediate need to patch (Option D) with the proper risk management process, which requires documentation and analysis before any remediation action is taken.

How to eliminate wrong answers

Option A is wrong because escalating to senior management for risk acceptance is premature; the risk must first be documented and assessed for impact and likelihood before any acceptance decision. Option B is wrong because accepting the risk without action ignores the fact that outdated encryption algorithms (e.g., DES, RC4, or 3DES) are known to be vulnerable to attacks (e.g., brute force, cryptanalysis) and can lead to data breaches, making encryption critical for confidentiality. Option D is wrong because immediately patching without further analysis bypasses the risk assessment process; a patch could introduce compatibility issues or fail to address the root cause, and a proper change management process is required.

81
Multi-Selecthard

An organization is implementing a quantitative risk assessment for its customer database. Which TWO elements are essential for calculating the annualized loss expectancy (ALE)?

Select 2 answers
A.Annualized rate of occurrence (ARO)
B.Control effectiveness rating
C.Asset value (AV)
D.Inherent risk score
E.Risk appetite threshold
AnswersA, C

ARO is directly multiplied by SLE to derive ALE.

Why this answer

The annualized loss expectancy (ALE) is calculated by multiplying the single loss expectancy (SLE) by the annualized rate of occurrence (ARO). SLE itself is derived from the asset value (AV) multiplied by the exposure factor (EF), making AV the second essential element. Without both ARO and AV, you cannot compute the expected monetary loss over a one-year period for the customer database.

Exam trap

The trap here is that candidates often confuse the components of SLE (AV and EF) with the ALE formula itself, mistakenly thinking control effectiveness or inherent risk scores are direct multipliers in the ALE calculation, when in fact they are separate risk assessment inputs.

82
Multi-Selecthard

A risk assessment team is calculating the Annual Loss Expectancy (ALE) for a critical server. The Single Loss Expectancy (SLE) is $50,000 and the Annual Rate of Occurrence (ARO) is estimated to be 2. The team is considering implementing a new backup solution costing $40,000 per year. Which TWO of the following statements are true regarding the cost-benefit analysis? (Select TWO.)

Select 2 answers
A.The net benefit of the backup is $60,000 per year.
B.The backup is cost-effective if the ALE reduction exceeds the annual cost.
C.The ALE after implementing the backup is $100,000 minus the backup cost.
D.The payback period for the backup is one year.
E.The current ALE without backup is $100,000.
AnswersB, E

Cost-effectiveness is determined by comparing risk reduction to cost.

Why this answer

Option B is correct because a cost-benefit analysis for a risk mitigation measure like a backup solution requires that the reduction in ALE (the benefit) exceed the annual cost of the control. Here, the current ALE is $100,000 (SLE $50,000 × ARO 2). If the backup reduces the ALE by more than $40,000 per year, it is cost-effective.

Option E is correct because the current ALE without backup is indeed $50,000 × 2 = $100,000.

Exam trap

The trap here is that candidates mistakenly assume the backup cost is subtracted directly from the current ALE to get a net benefit, ignoring that the control reduces but does not eliminate the risk, and that the payback period requires knowing the actual annual benefit.

83
Multi-Selectmedium

Which TWO of the following are primary factors that determine how often a risk assessment should be performed?

Select 2 answers
A.Available risk assessment budget
B.Rate of change in the IT environment
C.Number of IT employees
D.Inherent risk level of critical assets
E.Number of past security incidents
AnswersB, D

Higher change rate requires more frequent assessments.

Why this answer

The rate of change in the IT environment directly impacts the risk landscape; frequent changes (e.g., new applications, infrastructure updates, cloud migrations) introduce new vulnerabilities and alter existing threat vectors, requiring more frequent assessments to ensure controls remain effective. Inherent risk level of critical assets determines priority—higher inherent risk (e.g., systems processing PII or financial transactions) demands more frequent assessments because the potential impact of exploitation is greater, aligning with the ISACA risk assessment scheduling principle.

Exam trap

The trap here is that candidates confuse operational constraints (budget, staff count) or reactive metrics (past incidents) with the proactive, risk-driven factors that ISACA emphasizes for determining assessment frequency, leading them to select budget or incident count instead of change rate and inherent risk.

84
MCQmedium

A risk assessment team is evaluating the effectiveness of existing controls for a critical application. Which of the following approaches best determines whether controls are operating as intended?

A.Interviewing the control owner
B.Reviewing control documentation
C.Conducting a walkthrough and testing the controls
D.Analyzing historical audit findings
AnswerC

Provides direct evidence of effectiveness.

Why this answer

Option C is correct because walkthroughs and testing provide direct, empirical evidence that controls are functioning as designed. For a critical application, this approach validates actual control execution (e.g., verifying that an automated access control list (ACL) on a database server actually blocks unauthorized queries), rather than relying on secondhand accounts or static documentation. Testing confirms operational effectiveness in real-time, which is essential for accurate risk assessment.

Exam trap

The trap here is that candidates often confuse 'design effectiveness' (confirmed by documentation and interviews) with 'operating effectiveness' (confirmed only by walkthroughs and testing), leading them to choose Option B or A when the question explicitly asks whether controls are operating as intended.

How to eliminate wrong answers

Option A is wrong because interviewing the control owner only yields subjective, self-reported information about how controls are supposed to work, not objective proof of actual operation; control owners may overstate effectiveness or omit failures. Option B is wrong because reviewing control documentation (e.g., policy documents, configuration guides) shows intended design but cannot reveal whether controls are consistently applied or have degraded over time (e.g., a documented firewall rule may have been inadvertently disabled). Option D is wrong because analyzing historical audit findings provides evidence of past issues but does not confirm current control operation; controls may have been remediated or new gaps may have emerged since the last audit.

85
Multi-Selecthard

Which THREE of the following are key components of an IT risk assessment report as per ISACA guidelines?

Select 3 answers
A.Detailed results of control testing
B.Cost-benefit analysis of risk responses
C.Identified risk scenarios and their risk levels
D.Residual risk after implementing controls
E.Recommended risk response options
AnswersC, D, E

Risk scenarios and levels are core to the assessment report.

Why this answer

Option C is correct because an IT risk assessment report, per ISACA guidelines, must include identified risk scenarios and their associated risk levels. This is a core component that documents the specific threats, vulnerabilities, and the resulting inherent risk ratings (e.g., using a 5x5 risk matrix) to provide a clear picture of the risk landscape.

Exam trap

The trap here is that candidates often confuse the risk assessment report with the risk treatment plan or control testing report, leading them to select options like cost-benefit analysis or detailed control testing results, which are not core components of the risk assessment report per ISACA guidelines.

86
MCQhard

An organization uses a third-party vendor for critical data processing. The vendor has experienced two minor security incidents in the past year with no data loss. The risk manager is updating the vendor risk assessment. Which approach best aligns with ISACA's guidance?

A.Initiate a formal reassessment of the vendor's security controls and contractual protections.
B.Increase the frequency of vendor audits to quarterly.
C.Request a copy of the vendor's SOC 2 report from last year.
D.Accept the risk because the incidents did not result in data loss.
AnswerA

Recurring incidents warrant a full reassessment to determine if the vendor's risk profile has changed.

Why this answer

ISACA's guidance emphasizes that even minor security incidents without data loss indicate potential control weaknesses that require reassessment. A formal reassessment (A) ensures the vendor's security controls and contractual protections are re-evaluated to address underlying risks, aligning with the principle of continuous risk monitoring and response.

Exam trap

The trap here is that candidates assume no data loss means no risk, but ISACA requires proactive reassessment of controls after any incident to prevent escalation, not passive acceptance or superficial monitoring.

How to eliminate wrong answers

Option B is wrong because increasing audit frequency to quarterly does not address the root cause of the incidents; it only increases oversight without reassessing the effectiveness of existing controls. Option C is wrong because a SOC 2 report from last year is historical and may not reflect current control effectiveness after two incidents; it provides a point-in-time assessment rather than a dynamic response. Option D is wrong because accepting risk solely because no data loss occurred ignores the potential for future incidents with more severe consequences; ISACA requires risk treatment based on likelihood and impact, not just past outcomes.

87
MCQeasy

During a risk assessment, the risk manager identifies a vulnerability in a web application that could allow SQL injection. The development team states they will fix it in the next release, which is six months away. What should the risk manager do?

A.Implement a web application firewall (WAF) as a compensating control.
B.Accept the risk due to the low likelihood of exploitation.
C.Document the risk and defer action to the next assessment.
D.Request an immediate emergency patch deployment.
AnswerA

WAF can block SQL injection attacks until the fix is deployed.

Why this answer

A web application firewall (WAF) is the appropriate compensating control because it can inspect and block SQL injection payloads at the HTTP/HTTPS layer without modifying the application code. This provides immediate risk reduction while the development team works on the permanent fix, aligning with the principle of defense-in-depth and the risk manager's responsibility to treat unacceptable risk during the remediation window.

Exam trap

The trap here is that candidates may assume accepting risk (Option B) is valid because the fix is scheduled, but CRISC emphasizes that risk acceptance requires formal sign-off and cannot be used as a default for unmitigated critical vulnerabilities; the correct response is to implement a compensating control to reduce residual risk to an acceptable level.

How to eliminate wrong answers

Option B is wrong because the risk manager cannot simply accept the risk based on an unsubstantiated assumption of low likelihood; SQL injection is a well-known, actively exploited vulnerability with high impact, and acceptance requires formal approval and documented justification. Option C is wrong because deferring action to the next assessment ignores the current exposure and violates the risk treatment requirement to address identified vulnerabilities in a timely manner, especially when a compensating control like a WAF is available. Option D is wrong because requesting an immediate emergency patch deployment is impractical for a six-month release cycle and may introduce instability; the development team has already committed to a scheduled fix, and the risk manager should implement a temporary control rather than demand an unrealistic patch.

88
Multi-Selecteasy

Which THREE of the following are valid risk response options according to the ISACA risk management framework? (Select 3)

Select 3 answers
A.Enhance the risk to gain strategic advantage
B.Mitigate the risk through controls
C.Avoid the risk
D.Monitor the risk without taking action
E.Transfer the risk via insurance
AnswersB, C, E

Reducing likelihood or impact.

Why this answer

Option B is correct because risk mitigation involves implementing controls to reduce the likelihood or impact of a risk to an acceptable level. In the ISACA framework, this is a primary risk response option, often achieved through technical controls like firewalls, encryption, or access management systems.

Exam trap

The trap here is that candidates may confuse 'monitor the risk' as a valid response option, but ISACA requires a specific action (avoid, mitigate, transfer, accept) rather than a passive monitoring activity.

89
MCQhard

A large e-commerce company is assessing the risk of a distributed denial-of-service (DDoS) attack on its web applications. The company has experienced three DDoS attacks in the past year, each causing significant downtime and revenue loss. The current mitigation strategy relies on an on-premise appliance that can handle up to 10 Gbps of attack traffic. Recent industry reports indicate that DDoS attacks are growing in volume and sophistication, with some exceeding 100 Gbps. The company's risk appetite for availability is moderate. The security team has proposed migrating to a cloud-based DDoS protection service that scales to 200 Gbps, but it will increase annual operational costs by 40%. The business is concerned about the cost increase. Which of the following is the BEST risk treatment decision?

A.Transfer the risk by purchasing business interruption insurance that covers revenue loss during outages.
B.Accept the risk because the company has survived previous attacks and the cost of mitigation is high.
C.Reduce the risk by implementing the cloud-based DDoS protection service, accepting the cost increase.
D.Reduce the risk by upgrading the on-premise appliance to handle up to 50 Gbps, which is within budget.
AnswerC

Scalable solution matches risk appetite.

Why this answer

Option C is correct because the current on-premise appliance (10 Gbps capacity) is insufficient against modern DDoS attacks that can exceed 100 Gbps, as noted in industry reports. Migrating to a cloud-based DDoS protection service that scales to 200 Gbps directly reduces the risk to a level aligned with the company's moderate risk appetite for availability, despite the 40% cost increase. The business concern about cost is secondary to the necessity of mitigating a risk that could cause catastrophic revenue loss, and the cloud service provides elastic scalability that an on-premise upgrade cannot match.

Exam trap

The trap here is that candidates may choose Option D (upgrading to 50 Gbps) because it appears to be a cost-effective risk reduction, but they overlook that it still leaves the organization exposed to attacks exceeding 50 Gbps, which is a common scenario given the trend toward 100+ Gbps attacks, and fails to meet the moderate risk appetite for availability.

How to eliminate wrong answers

Option A is wrong because transferring risk via business interruption insurance does not prevent downtime or revenue loss; it only provides financial compensation after the fact, which does not address the company's moderate risk appetite for availability or the operational impact of repeated outages. Option B is wrong because accepting the risk ignores the clear trend of increasing attack volumes (up to 100+ Gbps) and the fact that the company has already suffered significant downtime and revenue loss from three attacks; the high cost of mitigation does not justify continued exposure when the risk exceeds the risk appetite. Option D is wrong because upgrading the on-premise appliance to 50 Gbps is still far below the 100+ Gbps attack volumes reported, leaving the company vulnerable to larger attacks; it also lacks the elastic scaling and global scrubbing capacity of a cloud-based service, making it an inadequate risk reduction measure.

90
MCQmedium

A company has identified a risk of data breach due to weak encryption. The current controls include encryption at rest but not in transit. The risk assessment team calculates inherent risk as high and residual risk as high. What should the team recommend FIRST?

A.Implement encryption in transit to reduce likelihood
B.Transfer the risk by purchasing cyber insurance
C.Avoid the risk by discontinuing data transmission
D.Accept the risk because it is already high
AnswerA

Directly mitigates the root cause.

Why this answer

The risk assessment team should first recommend implementing encryption in transit because the current controls only address data at rest, leaving data vulnerable during transmission. Since both inherent and residual risks are high, the most direct and effective control to reduce likelihood is to apply a technical safeguard like TLS 1.3 for data in transit, which directly addresses the identified gap.

Exam trap

The trap here is that candidates may think accepting high residual risk is acceptable if inherent risk is also high, but CRISC emphasizes that risk should be reduced to an acceptable level using controls before considering acceptance or transfer.

How to eliminate wrong answers

Option B is wrong because transferring risk via cyber insurance does not reduce the likelihood or impact of a data breach; it only provides financial compensation after an incident, which is not a first-line recommendation when a technical control is missing. Option C is wrong because avoiding the risk by discontinuing data transmission is an extreme measure that would halt business operations, and it is not the first recommendation when a feasible technical control (encryption in transit) exists. Option D is wrong because accepting a high residual risk when a cost-effective control is available violates the principle of risk reduction; acceptance should only be considered after all reasonable mitigation options have been evaluated.

91
MCQhard

A risk assessor is evaluating a third-party cloud service provider. Which of the following is the MOST important factor to consider when assessing the risk of data exfiltration?

A.The provider's data portability and exit process
B.The provider's service level agreement (SLA) for uptime
C.The number of security certifications held by the provider
D.The provider's encryption standards for data at rest and in transit
AnswerD

Encryption is key to protecting data.

Why this answer

Data exfiltration risk is primarily mitigated by strong encryption standards for data at rest and in transit. Even if a provider has robust access controls, weak encryption (e.g., using TLS 1.0 or AES-128-CBC with predictable IVs) can allow an attacker to intercept or decrypt data during transfer or storage. Encryption directly prevents unauthorized extraction of readable data, making it the most critical factor.

Exam trap

The trap here is that candidates often choose 'security certifications' (Option C) as a proxy for security, but CRISC emphasizes that certifications are process-based and do not guarantee technical controls like encryption strength, which directly addresses the exfiltration threat.

How to eliminate wrong answers

Option A is wrong because data portability and exit process address vendor lock-in and migration, not the active prevention of data theft during normal operations. Option B is wrong because SLA uptime guarantees availability, not confidentiality; a provider with 99.999% uptime could still have weak encryption enabling exfiltration. Option C is wrong because security certifications (e.g., ISO 27001, SOC 2) indicate a baseline of controls but do not guarantee the strength or implementation of encryption; a provider can hold many certifications yet use outdated cipher suites like RC4.

92
Drag & Dropmedium

Put the steps for developing an information security policy in order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Policy development starts with gap analysis, drafting, stakeholder review, approval, and communication.

93
MCQmedium

Based on the exhibit, what is the PRIMARY risk associated with this S3 bucket policy?

A.The policy allows access to all S3 buckets in the account
B.The policy denies access to legitimate users from outside the subnet
C.The policy permits unauthenticated access to sensitive data
D.The policy uses an incorrect IP range that blocks all traffic
AnswerC

The principal is '*', meaning any user (including unauthenticated) can access if from the allowed IP range.

Why this answer

The S3 bucket policy includes a `Principal: "*"` statement that grants public access to the bucket. Combined with an `Effect: Allow` and `Action: s3:GetObject`, this permits any unauthenticated user on the internet to read objects in the bucket. This is the primary risk because it exposes sensitive data to anyone without requiring AWS credentials or any form of authentication.

Exam trap

The trap here is that candidates may focus on the IP range or subnet details mentioned in the options, but the actual policy lacks any IP restriction and instead grants full public access via `Principal: "*"`, making unauthenticated access the primary risk.

How to eliminate wrong answers

Option A is wrong because the policy uses a `Resource` ARN that specifies a single bucket (e.g., `arn:aws:s3:::example-bucket/*`), not all buckets in the account. Option B is wrong because the policy does not contain a `Deny` effect or a `Condition` block restricting access based on source IP or VPC subnet; it allows all principals without any network restriction. Option D is wrong because the policy does not include any IP address condition (such as `aws:SourceIp`) that could be misconfigured; the risk is about unauthenticated access, not an IP range error.

94
MCQhard

A risk practitioner is conducting a threat modeling exercise for a new cloud-based application using the STRIDE methodology. Which of the following is the PRIMARY benefit of using STRIDE over a simple checklist?

A.It requires less expertise to perform
B.It automatically quantifies risk levels
C.It ensures consistent application of controls
D.It identifies threats by category, reducing the chance of missing key threat types
AnswerD

STRIDE's categories (Spoofing, Tampering, etc.) help ensure comprehensive threat identification.

Why this answer

The STRIDE methodology categorizes threats into six specific types (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). This structured approach ensures that the threat modeling exercise systematically covers each category, reducing the likelihood of overlooking entire classes of threats that a simple checklist might miss. For a cloud-based application, this is critical because threats like elevation of privilege or information disclosure can manifest in unique ways across shared infrastructure, and STRIDE forces the practitioner to consider each category explicitly.

Exam trap

The trap here is that candidates often confuse a structured methodology like STRIDE with a simple checklist, assuming any structured approach automatically ensures control consistency or risk quantification, when in fact STRIDE's primary benefit is its categorical coverage that reduces blind spots.

How to eliminate wrong answers

Option A is wrong because STRIDE requires a solid understanding of each threat category and how to map them to system components, often demanding more expertise than a simple checklist. Option B is wrong because STRIDE is a qualitative categorization framework and does not automatically quantify risk levels; risk quantification requires separate analysis (e.g., using CVSS scores or likelihood/impact ratings). Option C is wrong because while STRIDE can promote consistency in identifying threat types, it does not ensure consistent application of controls; controls are designed and implemented independently based on the identified threats.

95
MCQmedium

During a risk assessment, a risk practitioner identifies that a legacy application uses a deprecated encryption protocol. The application is critical for business operations and cannot be patched. Which of the following is the BEST approach to assess the risk?

A.Replace the application with a modern alternative
B.Analyze the threat landscape and existing compensating controls to determine residual risk
C.Assign a high inherent risk score without further analysis
D.Immediately escalate to senior management for an exception
AnswerB

Proper assessment involves analyzing threats and compensating controls to estimate residual risk.

Why this answer

The best approach is to consider the compensating controls in place. The risk should be evaluated in context of existing controls; if controls reduce likelihood/impact, residual risk may be acceptable. Option A is too extreme without analysis; option B is not a complete assessment; option D is premature.

96
MCQmedium

You are the IT risk manager at a multinational corporation that recently migrated its customer database to a cloud-based platform. The database contains personally identifiable information (PII) subject to GDPR. During a routine vulnerability scan, you discover that the database is accessible from the internet without encryption (port 1433 open). The cloud provider's shared responsibility model indicates that securing the database configuration is the customer's responsibility. You have identified the risk as high likelihood and high impact. The business owner argues that the database is only accessible to a limited IP range and that encryption would degrade performance. Which course of action should you recommend to treat the risk?

A.Transfer the risk by purchasing cyber insurance
B.Close the port or implement a VPN, and enforce encryption
C.Accept the risk because the IP restriction reduces likelihood
D.Implement a web application firewall (WAF) to monitor traffic
AnswerB

This directly mitigates the vulnerability and ensures compliance.

Why this answer

Option D is correct because closing the port or implementing a VPN is the most effective way to eliminate the direct exposure, and encryption should be applied to protect data in transit. Option A is wrong because accepting risk without compensating controls violates GDPR requirements. Option B is wrong because a compensating control (WAF) does not address the lack of encryption.

Option C is wrong because transferring risk via cyber insurance does not reduce the actual exposure.

97
MCQhard

A financial institution is evaluating the risk of a new mobile payment application. The risk team calculates the Annual Loss Expectancy (ALE) as $500,000 based on a single loss expectancy (SLE) of $100,000 and an annual rate of occurrence (ARO) of 5. After implementing a new encryption control at a cost of $150,000 per year, the ALE is reduced to $200,000. What is the residual risk in terms of ALE after one year of control operation?

A.$200,000
B.$500,000
C.$350,000
D.$300,000
AnswerA

This is the post-control ALE, representing residual risk.

Why this answer

The residual risk is the remaining Annual Loss Expectancy (ALE) after controls are applied. Since the ALE after implementing the encryption control is explicitly stated as $200,000, that is the residual risk after one year of control operation. The control cost of $150,000 is a separate cost-of-control figure and does not reduce the ALE further; it is used for cost-benefit analysis, not for calculating residual risk.

Exam trap

The trap here is that candidates mistakenly subtract the control cost from the original or reduced ALE, thinking residual risk equals ALE minus control expenditure, when in fact residual risk is simply the post-control ALE as stated.

How to eliminate wrong answers

Option B ($500,000) is wrong because it represents the original ALE before any controls were implemented, ignoring the risk reduction from the encryption control. Option C ($350,000) is wrong because it incorrectly subtracts the control cost ($150,000) from the original ALE ($500,000), confusing cost of control with risk reduction. Option D ($300,000) is wrong because it incorrectly subtracts the control cost from the reduced ALE ($200,000), which is not how residual risk is calculated; residual risk is the remaining ALE after controls, not net of control costs.

98
MCQeasy

After a risk assessment, the risk owner states that the residual risk for a specific asset is within the organization's risk tolerance. Which of the following BEST describes the action that should be taken?

A.Transfer the risk to a third party
B.Implement additional controls to reduce risk further
C.Formally accept the risk and document the decision
D.Reassess the risk using a quantitative method
AnswerC

Acceptance is appropriate when residual risk is within tolerance.

Why this answer

When the risk owner confirms that residual risk is within the organization's risk tolerance, the appropriate action is to formally accept the risk and document the decision. This is a standard risk treatment option (risk acceptance) under the ISACA Risk IT Framework, where no further controls are needed because the residual risk level is already acceptable. Documenting the acceptance ensures auditability and accountability for the decision.

Exam trap

The trap here is that candidates often confuse 'residual risk within tolerance' with a need to 'transfer' or 'mitigate further,' failing to recognize that risk acceptance is the correct treatment when the risk level is already acceptable.

How to eliminate wrong answers

Option A is wrong because transferring the risk (e.g., via cyber insurance or outsourcing) is unnecessary when the residual risk is already within tolerance; transfer would introduce additional cost and complexity without benefit. Option B is wrong because implementing additional controls would over-engineer the risk response, wasting resources on reducing risk below the accepted tolerance level, which violates the principle of cost-effective risk management. Option D is wrong because reassessing the risk using a quantitative method is not required; the risk has already been assessed and the residual risk is within tolerance—reassessment would be redundant and delay the decision.

99
MCQeasy

During an IT risk assessment, a risk analyst discovers that a server contains sensitive customer data but is not included in the organization's vulnerability scanning program. What should the analyst do first?

A.Add the server to the high-risk register immediately.
B.Notify the vulnerability scan administrator to include the server in the next scan.
C.Perform a manual vulnerability assessment on the server.
D.Request an exception from management for the server to be exempt from scanning.
AnswerB

Direct action to include the server is the most immediate and effective response.

Why this answer

The analyst should report the missing server to the scan administrator to ensure it is included (Option B), as the immediate need is to close the scanning gap.

100
MCQeasy

An organization is conducting a business impact analysis (BIA) for its core banking system. Which of the following is the PRIMARY metric used to determine the urgency of recovery?

A.Service Level Agreement (SLA)
B.Recovery Time Objective (RTO)
C.Maximum Tolerable Downtime (MTD)
D.Recovery Point Objective (RPO)
AnswerC

MTD defines the maximum acceptable downtime before severe impact.

Why this answer

The Maximum Tolerable Downtime (MTD) is the primary metric for determining the urgency of recovery because it defines the total duration a business process can be unavailable before causing irreparable harm. For a core banking system, MTD directly reflects the maximum acceptable outage period from the business perspective, driving all recovery planning priorities.

Exam trap

The trap here is confusing RTO with MTD: candidates often pick RTO because it directly relates to recovery speed, but MTD is the business-driven ceiling that defines the urgency, while RTO is merely a derived target.

How to eliminate wrong answers

Option A is wrong because a Service Level Agreement (SLA) is a contractual commitment for normal operations, not a metric for recovery urgency during a disaster. Option B is wrong because Recovery Time Objective (RTO) is a target derived from MTD, not the primary determinant of urgency; it specifies the time within which recovery must occur but is subordinate to the business's maximum tolerable downtime. Option D is wrong because Recovery Point Objective (RPO) measures acceptable data loss (time between backups), not the urgency of system recovery after an outage.

101
MCQhard

A company calculates the annualized loss expectancy (ALE) for a server outage as $75,000. The cost to implement a high-availability solution is $200,000 with a lifespan of 5 years and annual maintenance of $10,000. What is the residual risk if the solution reduces outage likelihood by 90%?

A.$50,000
B.$7,500
C.$42,500
D.$57,500
AnswerB

Residual risk is the ALE after control implementation: $75,000 * 0.1 = $7,500.

Why this answer

The correct answer is B: $7,500. The annualized loss expectancy (ALE) before mitigation is $75,000. The high-availability solution reduces outage likelihood by 90%, so the residual ALE is 10% of $75,000 = $7,500.

The cost of the solution ($200,000 capital with $10,000 annual maintenance over 5 years) is used to calculate the cost-benefit or net present value, but does not directly affect the residual risk figure, which is purely the remaining expected loss after controls are applied.

Exam trap

The trap here is that candidates often mistakenly include the cost of the control (annualized or total) in the residual risk calculation, confusing residual risk (the remaining expected loss) with the net financial benefit or cost of the solution.

How to eliminate wrong answers

Option A ($50,000) is wrong because it incorrectly subtracts the annualized cost of the solution (e.g., $40,000 annualized capital plus $10,000 maintenance = $50,000) from the original ALE, confusing residual risk with net benefit. Option C ($42,500) is wrong because it likely results from subtracting only the capital cost annualized ($40,000) from the original ALE, ignoring the 90% reduction factor. Option D ($57,500) is wrong because it appears to subtract the annual maintenance ($10,000) and a partial capital cost from the original ALE, or mistakenly applies the 90% reduction to the cost instead of the likelihood.

102
MCQeasy

You are the risk manager for a healthcare provider. A risk assessment identified that patient data is transmitted over unencrypted connections between clinics and the data center. The existing controls include strong network perimeter defenses. The risk is rated as high. Management is concerned about the cost of implementing encryption. You have proposed a control that encrypts data in transit. However, the network team argues that the perimeter controls are sufficient. What is the MOST appropriate response?

A.Transfer the risk to a third party by outsourcing data transmission.
B.Accept the risk because perimeter controls are in place.
C.Reduce the risk rating to medium since perimeter controls provide compensating security.
D.Implement encryption as recommended because it addresses the vulnerability directly.
AnswerD

Provides necessary protection for data in transit.

Why this answer

Option D is correct because encrypting data in transit directly addresses the vulnerability of unencrypted connections, which is the root cause of the high risk. Perimeter controls like firewalls and IDS/IPS do not protect the confidentiality of data once it leaves the protected network boundary, as they cannot prevent interception on the wire. Implementing encryption (e.g., TLS 1.2/1.3 or IPsec) ensures end-to-end confidentiality regardless of perimeter strength.

Exam trap

The trap here is that candidates may overestimate the effectiveness of perimeter controls (e.g., firewalls) as a compensating control for data-in-transit encryption, failing to recognize that they operate at different OSI layers and cannot prevent interception of unencrypted traffic after it leaves the network boundary.

How to eliminate wrong answers

Option A is wrong because transferring risk to a third party does not eliminate the vulnerability; the third party would still need to encrypt data in transit, and outsourcing introduces additional risks like vendor management and data sovereignty. Option B is wrong because accepting the risk ignores the high-risk rating and the fact that perimeter controls do not protect data in transit from eavesdropping attacks such as packet sniffing or man-in-the-middle (MITM) exploits. Option C is wrong because reducing the risk rating based on compensating controls is a subjective adjustment that violates risk assessment principles; perimeter controls do not compensate for the lack of encryption, as they operate at different layers (network vs. transport/application).

103
MCQeasy

Which of the following BEST describes inherent risk?

A.The risk level before any controls are applied
B.The level of risk after implementing controls
C.The amount of risk the organization is willing to accept
D.The risk level that remains after considering existing controls
AnswerA

Inherent risk is the gross risk without mitigation.

Why this answer

Inherent risk is defined as the level of risk that exists in the absence of any controls or mitigations. It represents the raw, untreated risk exposure that an organization faces from a specific threat-vulnerability pair, such as the risk of data exfiltration from an unpatched web server before any firewall rules, intrusion detection systems, or encryption are applied.

Exam trap

The trap here is confusing inherent risk with residual risk, as many candidates mistakenly think that 'risk after controls' is the starting point, but CRISC defines inherent risk as the risk level before any controls are applied.

How to eliminate wrong answers

Option B is wrong because it describes residual risk, which is the risk level after controls are implemented. Option C is wrong because it defines risk appetite, the amount of risk an organization is willing to accept, not inherent risk. Option D is wrong because it also describes residual risk, which is the risk remaining after considering existing controls, not the baseline before controls.

104
MCQmedium

An organization uses a qualitative risk assessment methodology. The risk matrix has impact and likelihood scales of 1-5. A risk is assessed with impact=4 and likelihood=3. What is the risk level?

A.Critical
B.High
C.Low
D.Medium
AnswerB

Product of 12 falls in high range.

Why this answer

In a qualitative risk assessment with a 5x5 risk matrix (impact and likelihood scales of 1-5), the risk level is determined by multiplying the impact and likelihood scores. Here, 4 (impact) × 3 (likelihood) = 12. Typically, a product of 12 falls into the 'High' risk category (e.g., 10-15 range), as defined by common CRISC and ISACA frameworks.

This aligns with the organization's methodology where scores above a threshold (e.g., 10) are classified as High, not Critical.

Exam trap

The trap here is that candidates often misapply the matrix by adding impact and likelihood (4+3=7) and selecting 'Medium', instead of multiplying (4×3=12) to correctly identify 'High'.

How to eliminate wrong answers

Option A is wrong because 'Critical' usually requires a product of 16-25 (e.g., impact=5 and likelihood=4 or 5), not 12. Option C is wrong because 'Low' corresponds to a product of 1-5 (e.g., impact=1 and likelihood=2), far below 12. Option D is wrong because 'Medium' typically covers a product of 6-9 (e.g., impact=3 and likelihood=3), whereas 12 exceeds that range.

105
MCQhard

An organization has a legacy system that cannot be patched due to vendor end-of-life. The system processes non-critical data. The risk manager has determined that the likelihood of exploitation is low, but the impact would be high. Which risk response strategy is MOST appropriate?

A.Mitigate the risk by applying vendor patches.
B.Avoid the risk by decommissioning the system immediately.
C.Transfer the risk by purchasing cyber insurance.
D.Accept the risk with compensating controls such as network segmentation.
AnswerD

Compensating controls reduce likelihood without patching.

Why this answer

Option D is correct because the system processes non-critical data and cannot be patched, making risk acceptance with compensating controls the most appropriate strategy. Network segmentation reduces the likelihood of exploitation by isolating the legacy system from critical assets, while the low likelihood and non-critical data make decommissioning or insurance less suitable. This aligns with CRISC best practices for legacy systems where patching is impossible and the risk is within the organization's risk appetite.

Exam trap

ISACA often tests the misconception that 'high impact' always requires mitigation or avoidance, but the trap here is that when likelihood is low and the data is non-critical, acceptance with compensating controls is the most cost-effective and appropriate response per the risk management framework.

How to eliminate wrong answers

Option A is wrong because the vendor has ended support, meaning no patches are available, so mitigation via patching is technically infeasible. Option B is wrong because decommissioning immediately is an extreme response for a system processing non-critical data with low exploitation likelihood; it would likely cause unnecessary operational disruption and cost. Option C is wrong because cyber insurance transfers financial risk but does not reduce the likelihood or impact of exploitation; it is a secondary response and not the most appropriate primary strategy for a low-likelihood, high-impact scenario where compensating controls can be applied.

106
MCQmedium

After a risk assessment, the risk owner determines that the residual risk is still above the risk appetite. Which of the following is the MOST appropriate next step?

A.Transfer the risk
B.Ignore the risk
C.Accept the risk
D.Implement additional controls
AnswerD

Adding controls reduces residual risk to an acceptable level.

Why this answer

When residual risk remains above the risk appetite after initial risk assessment, the most appropriate next step is to implement additional controls to further reduce the risk to an acceptable level. This aligns with the risk treatment process where controls are selected and applied to lower the likelihood or impact of the risk event. Simply transferring, ignoring, or accepting the risk without further action would not address the gap between residual risk and risk appetite.

Exam trap

ISACA often tests the misconception that risk acceptance is always the default next step, but the trap here is that acceptance is only valid when residual risk is within appetite; when it is above, additional controls must be considered first.

How to eliminate wrong answers

Option A is wrong because transferring the risk (e.g., via insurance or outsourcing) does not reduce the inherent risk; it only shifts financial consequences, and the residual risk may still exceed appetite if the transfer is incomplete or not cost-effective. Option B is wrong because ignoring the risk is a deliberate avoidance of responsibility and violates the risk management principle that risks above appetite must be treated, not neglected. Option C is wrong because accepting the risk without implementing additional controls is only appropriate if the residual risk is within the risk appetite; here it is above, so acceptance without further action would be non-compliant with policy.

107
MCQeasy

Based on the exhibit, which risk is MOST likely to be identified during a risk assessment?

A.Weak passwords on user workstations
B.Unauthorized physical access to the data center
C.Lateral movement risk from DMZ to internal network
D.Incomplete audit logs on firewalls
AnswerC

Lack of segmentation allows propagation of attacks.

Why this answer

Option B is correct because the lack of segmentation between DMZ and internal networks means that if a server in the DMZ is compromised, the attacker can easily move laterally to user workstations. Option A is wrong because the exhibit does not mention specific access control weaknesses. Option C is wrong because there is no indication of incomplete logging.

Option D is wrong because physical security is not mentioned.

108
MCQmedium

During a risk assessment, the risk manager identifies that the likelihood of a cyber-attack is high due to recent industry trends. However, the existing controls are deemed effective in reducing impact. Which of the following is the MOST appropriate risk response?

A.Mitigate
B.Avoid
C.Accept
D.Transfer
AnswerA

Mitigating by maintaining or enhancing controls is appropriate given high likelihood.

Why this answer

Mitigate is the most appropriate risk response because the likelihood of a cyber-attack is high, but existing controls are effective in reducing the impact. Mitigation involves implementing additional controls or enhancing existing ones to reduce the likelihood or impact further, which aligns with the scenario where controls are already effective but need to be strengthened to address the high likelihood.

Exam trap

ISACA often tests the distinction between 'mitigate' and 'transfer' by presenting scenarios where controls are effective but likelihood is high, leading candidates to incorrectly choose transfer (e.g., insurance) instead of recognizing that mitigation directly addresses the likelihood through additional technical controls.

How to eliminate wrong answers

Option B (Avoid) is wrong because avoiding the risk would require discontinuing the activity or system that exposes the organization to the cyber-attack, which is not necessary when controls are already effective and the risk can be managed. Option C (Accept) is wrong because accepting the risk implies a conscious decision to tolerate the potential impact without further action, which is inappropriate when the likelihood is high and controls are only effective, not optimal. Option D (Transfer) is wrong because transferring the risk (e.g., via cyber insurance) shifts the financial impact but does not address the high likelihood of the attack occurring, and the existing controls are already reducing impact, making mitigation a more direct response.

109
MCQhard

A multinational corporation is assessing the risk of non-compliance with GDPR. Which of the following is the BEST approach to quantify the potential fine?

A.Base the estimate on the organization's annual global turnover
B.Estimate based on the cost of cyber insurance premiums
C.Calculate the cost of data breach using the Ponemon Institute model
D.Use industry benchmarks for data breach costs
AnswerA

GDPR fines are up to 4% of annual turnover.

Why this answer

Under GDPR, the maximum fine for non-compliance is the greater of €20 million or 4% of the organization's annual global turnover. Therefore, basing the estimate on annual global turnover directly aligns with the regulatory formula used by supervisory authorities, making it the most accurate and defensible quantification approach for potential fines.

Exam trap

ISACA often tests the distinction between regulatory fines (which follow a fixed statutory formula) and broader breach costs (which include operational, reputational, and legal expenses), leading candidates to mistakenly select a comprehensive cost model like Ponemon instead of the turnover-based regulatory calculation.

How to eliminate wrong answers

Option B is wrong because cyber insurance premiums reflect market pricing for risk transfer, not the statutory penalty calculation defined in GDPR Article 83. Option C is wrong because the Ponemon Institute model estimates the total cost of a data breach (including detection, notification, and lost business), not the regulatory fine specifically. Option D is wrong because industry benchmarks for data breach costs are averages across sectors and do not incorporate the organization-specific turnover figure that GDPR mandates for fine calculation.

110
MCQhard

During a risk assessment, the risk manager finds that a critical application has a single point of failure in its network path. The application's availability requirement is 99.99%. The current design achieves only 99.9% uptime. Which risk metric should be calculated first?

A.Annualized Loss Expectancy (ALE) based on potential downtime cost.
B.Risk gap between required and current service level.
C.Exposure factor (EF) representing the percentage of loss.
D.Single loss expectancy (SLE) for a single outage event.
AnswerB

Quantifying the gap helps prioritize remediation efforts and calculate downstream metrics.

Why this answer

The risk manager must first quantify the risk gap between the required 99.99% availability (approximately 52.56 minutes of downtime per year) and the current 99.9% availability (approximately 525.6 minutes per year). This gap of 473.04 minutes per year establishes the magnitude of the risk exposure before any financial calculations (ALE, SLE, EF) can be performed, as those metrics depend on knowing the actual downtime that needs to be costed.

Exam trap

The trap here is that candidates rush to calculate financial metrics (ALE, SLE, EF) without first establishing the foundational risk gap, which is the prerequisite for any meaningful quantitative risk analysis.

How to eliminate wrong answers

Option A is wrong because Annualized Loss Expectancy (ALE) requires the annual rate of occurrence (ARO) and single loss expectancy (SLE), which themselves depend on knowing the risk gap first; calculating ALE without the gap would use incorrect downtime figures. Option C is wrong because Exposure Factor (EF) is a percentage of asset value lost per incident, but the question asks for the first metric to calculate, and EF is derived after the risk gap is understood. Option D is wrong because Single Loss Expectancy (SLE) is calculated as asset value × exposure factor, and without first establishing the risk gap (the actual downtime difference), the SLE would be based on the wrong outage duration.

111
MCQeasy

Which risk assessment approach is most appropriate for a new technology that has limited historical data and high uncertainty?

A.Quantitative risk assessment using ALE calculations.
B.Bow-tie analysis to map causes and consequences.
C.Automated risk scoring based on industry benchmarks.
D.Delphi technique with a panel of experts.
AnswerD

The Delphi technique is a qualitative method that uses expert consensus, suitable for uncertain environments.

Why this answer

The Delphi technique is most appropriate for a new technology with limited historical data and high uncertainty because it leverages the collective judgment of a panel of experts through iterative, anonymous rounds to reach a consensus on risk likelihood and impact. This approach does not rely on historical loss data or predefined benchmarks, making it ideal for novel or emerging technologies where empirical data is scarce.

Exam trap

The trap here is that candidates often choose quantitative methods like ALE (Option A) because they seem more 'objective,' failing to recognize that such methods are data-dependent and inappropriate when historical data is absent or unreliable.

How to eliminate wrong answers

Option A is wrong because quantitative risk assessment using ALE (Annualized Loss Expectancy) calculations requires reliable historical data on frequency and magnitude of losses, which is unavailable for a new technology with high uncertainty. Option B is wrong because bow-tie analysis is a structured method for mapping known causes and consequences of a specific risk event, but it presupposes a clear understanding of threat scenarios and controls, which is lacking when historical data is limited. Option C is wrong because automated risk scoring based on industry benchmarks assumes that the technology's risk profile aligns with established patterns from similar technologies, which is invalid for a novel technology where benchmarks do not exist or are not applicable.

112
MCQeasy

What is the primary risk if the WAF is misconfigured?

A.SQL injection attacks
B.Unauthorized database access
C.Denial of service
D.Network segmentation failure
AnswerA

WAF misconfiguration increases vulnerability to web attacks.

Why this answer

A WAF protects against web application attacks such as SQL injection. If misconfigured, the web application is exposed. Option B is correct.

Network segmentation failure (A) is not directly related. Denial of service (C) is a possibility but not the primary risk. Unauthorized database access (D) could result from SQL injection but is a consequence.

113
MCQmedium

A company has identified that its legacy financial system has a high inherent risk due to outdated architecture. The system cannot be replaced for three years. What is the best risk treatment strategy?

A.Accept the risk and allocate contingency funds for potential incidents.
B.Transfer the risk by purchasing cyber insurance.
C.Avoid the risk by discontinuing the system immediately.
D.Implement compensating controls such as network segmentation and enhanced monitoring.
AnswerD

Compensating controls reduce residual risk while the system remains in place.

Why this answer

Option D is correct because when a legacy system cannot be replaced for three years, the most effective risk treatment is to reduce the likelihood and impact of exploitation through compensating controls. Network segmentation limits lateral movement from the legacy system, and enhanced monitoring (e.g., SIEM with custom rules for anomalous traffic) provides early detection of compromise. This aligns with the ISACA risk treatment principle of risk reduction when avoidance or transfer is not feasible.

Exam trap

The trap here is that candidates often choose risk acceptance (Option A) or transfer (Option B) without recognizing that high inherent risk demands active reduction measures, especially when the system cannot be decommissioned.

How to eliminate wrong answers

Option A is wrong because accepting the risk without active reduction measures ignores the high inherent risk from outdated architecture, and contingency funds alone do not prevent data breaches or system downtime. Option B is wrong because cyber insurance transfers financial impact but does not reduce the operational or reputational risk; insurers may also deny claims if compensating controls are absent. Option C is wrong because discontinuing the system immediately would halt critical business operations, and the question explicitly states the system cannot be replaced for three years, making avoidance impractical.

114
MCQeasy

You are the IT risk manager for a financial institution that processes high-value transactions. The organization uses a cloud-based core banking system and on-premises servers for backup. During a recent risk assessment, you identified that the cloud provider's service-level agreement (SLA) guarantees 99.9% uptime, but the organization's business impact analysis (BIA) indicates that every hour of downtime costs $500,000. The current recovery time objective (RTO) for the core banking system is 4 hours, but the actual recovery capability is 6 hours due to manual steps in failover. The risk owner has accepted this risk informally. You are asked to recommend a course of action to the risk committee. Which of the following is the most appropriate recommendation?

A.Accept the risk because the cloud provider's SLA covers 99.9% uptime.
B.Continue with informal acceptance since the risk owner has already accepted it.
C.Reduce the RTO to 2 hours to align with industry best practices.
D.Document the risk gap (actual recovery of 6 hours vs. RTO of 4 hours) and present it to the risk committee for formal risk acceptance or remediation.
AnswerD

Formal documentation and escalation ensure the risk is properly managed and decisions are recorded.

Why this answer

The correct answer is D because the organization has a critical risk gap: the actual recovery capability (6 hours) exceeds the stated RTO (4 hours), meaning the business would incur $1M in losses (2 hours × $500K) before recovery completes. The risk owner's informal acceptance is insufficient for a financial institution processing high-value transactions; formal documentation and risk committee approval are required for governance and regulatory compliance. Presenting the gap enables informed decision-making on whether to accept the risk formally or invest in remediation (e.g., automating failover to meet the 4-hour RTO).

Exam trap

The trap here is that candidates confuse the cloud provider's SLA with the organization's RTO/RTA gap, or assume informal risk acceptance is sufficient, when CRISC emphasizes formal documentation and committee-level decision-making for risks exceeding thresholds.

How to eliminate wrong answers

Option A is wrong because the cloud provider's 99.9% SLA (8.76 hours annual downtime) does not address the specific gap between the 4-hour RTO and 6-hour actual recovery; it only covers cloud uptime, not the manual failover delays causing the breach. Option B is wrong because informal acceptance lacks the formal documentation and risk committee oversight required by CRISC best practices and regulatory standards (e.g., FFIEC guidelines for financial institutions), leaving the organization exposed to unmanaged risk. Option C is wrong because reducing the RTO to 2 hours without addressing the underlying manual failover process would widen the gap (actual 6 hours vs. new RTO of 2 hours), increasing potential losses to $2M per incident, and is not a feasible remediation without significant investment.

115
MCQhard

Based on the exhibit, what is the MOST likely risk scenario?

A.Phishing attack that captured user credentials
B.Brute force attack resulting in account compromise
C.Insider threat from a legitimate user
D.Denial of service attack on the authentication server
AnswerB

Multiple failed attempts followed by success indicates compromise.

Why this answer

The exhibit shows a high number of failed authentication attempts from a single IP address over a short time window, followed by a successful login. This pattern is characteristic of a brute force attack, where an attacker systematically tries many password combinations until one succeeds, leading to account compromise.

Exam trap

ISACA often tests the distinction between authentication failures from a brute force attack versus a denial of service attack, where candidates mistakenly choose DoS because they see many failed attempts, but the key is that the server remains functional and a successful login occurs.

How to eliminate wrong answers

Option A is wrong because a phishing attack would typically capture credentials via a deceptive email or website, not through a high volume of failed logins from a single source. Option C is wrong because an insider threat from a legitimate user would not generate numerous failed authentication attempts; a legitimate user would likely succeed on the first try or have a few failures due to forgotten passwords, not a sustained brute force pattern. Option D is wrong because a denial of service attack on the authentication server would cause a flood of traffic or requests, overwhelming the server and preventing legitimate logins, but the exhibit shows a successful login after failures, indicating the server remained responsive and the attack targeted a specific account, not the server's availability.

116
MCQeasy

A small manufacturing company is conducting its first IT risk assessment. The company has a flat network with no segmentation, and all employees have administrative access to their workstations. The risk practitioner identifies that a malware infection on one workstation could easily spread to the entire network. The company has a limited budget for IT security improvements. Which of the following risk treatment options is MOST cost-effective and practical?

A.Accept the risk because the company's data is not highly sensitive.
B.Deploy endpoint protection software on all workstations and restrict administrative rights for users.
C.Implement network segmentation and a next-generation firewall.
D.Purchase cyber insurance to cover potential losses.
AnswerB

Low cost, high impact on limiting malware spread.

Why this answer

Option B is the most cost-effective and practical because deploying endpoint protection software provides immediate defense against known malware, while restricting administrative rights prevents users from installing unauthorized software or making system changes that could introduce malware. This combination directly addresses the root cause of the risk—unrestricted user privileges and lack of basic malware defenses—without requiring expensive network redesign or ongoing insurance premiums.

Exam trap

The trap here is that candidates may choose network segmentation (Option C) as the ideal technical solution, but the question emphasizes cost-effectiveness and practicality for a small company with a limited budget, making the simpler, cheaper controls in Option B the better choice.

How to eliminate wrong answers

Option A is wrong because accepting the risk ignores the high likelihood and potential impact of a malware infection spreading across a flat network, even if data is not highly sensitive; operational downtime and recovery costs can be significant for a small company. Option C is wrong because network segmentation and a next-generation firewall are more expensive and complex to implement than endpoint protection and privilege restriction, making them less practical for a limited budget. Option D is wrong because cyber insurance does not reduce the likelihood or impact of a malware infection; it only provides financial compensation after a loss, which may not cover all costs (e.g., reputational damage, operational downtime) and often requires proof of basic security controls.

117
MCQmedium

Refer to the exhibit. An organization has identified vulnerabilities on a critical server. The risk owner has limited resources and can remediate only one finding this quarter. Based on the information provided, which approach is the most appropriate risk assessment decision?

A.Remediate both findings by reallocating budget from another project.
B.Remediate the SSL/TLS certificate vulnerability first, as it affects a critical service and has a higher severity.
C.Remediate the SSH vulnerability first because it is easier to fix (upgrade OpenSSH).
D.Accept both risks because they are low and medium severity, and resources are limited.
AnswerB

This prioritizes the higher-risk finding on a critical server, making the best use of limited resources.

Why this answer

Option B is correct because the SSL/TLS certificate vulnerability affects a critical service (likely HTTPS) and has a higher severity rating, making it the most urgent risk to address given limited resources. Risk assessment prioritizes remediating vulnerabilities that pose the greatest threat to critical business functions, even if another finding is easier to fix. The risk owner should allocate the single remediation slot to the highest-severity vulnerability on a critical server to maximize risk reduction.

Exam trap

The trap here is that candidates often choose the easiest fix (Option C) or assume budget reallocation is always possible (Option A), failing to recognize that risk assessment prioritization must be based on severity and business impact, not remediation effort or resource flexibility.

How to eliminate wrong answers

Option A is wrong because it violates the constraint of limited resources by suggesting reallocation of budget from another project, which is not an option presented in the scenario and would introduce additional risk and approval overhead. Option C is wrong because it prioritizes ease of remediation (upgrading OpenSSH) over severity and business impact, which contradicts the risk assessment principle of addressing the highest-risk findings first. Option D is wrong because accepting both risks is inappropriate when one vulnerability is high severity and affects a critical service; risk acceptance should only be considered for low-severity findings with minimal business impact, not for critical server vulnerabilities.

118
MCQhard

An organization uses a quantitative risk analysis method. The annualized loss expectancy (ALE) for a specific risk is calculated as $500,000. The cost of implementing a control is $150,000 per year, and it is expected to reduce the ALE by 80%. What is the net benefit of implementing the control?

A.$50,000
B.$400,000
C.$250,000
D.$350,000
AnswerC

Correct calculation of net benefit.

Why this answer

The current ALE is $500,000. An 80% reduction means the ALE decreases by $400,000, resulting in a new ALE of $100,000. The annual control cost is $150,000.

The net benefit is the reduction in ALE ($400,000) minus the control cost ($150,000), which equals $250,000. Option C is correct because it correctly calculates the net benefit as the risk reduction minus the control cost.

Exam trap

The trap here is that candidates often confuse the gross reduction in ALE ($400,000) with the net benefit, forgetting to subtract the annual control cost, leading them to select Option B.

How to eliminate wrong answers

Option A is wrong because $50,000 would result from incorrectly subtracting the control cost from the new ALE ($100,000 - $150,000 = -$50,000) or miscomputing the reduction. Option B is wrong because $400,000 is the gross reduction in ALE, not the net benefit after subtracting the $150,000 control cost. Option D is wrong because $350,000 would result from subtracting the control cost from the original ALE ($500,000 - $150,000) or from incorrectly calculating the reduction as 80% of the control cost.

119
MCQeasy

A financial institution is selecting a risk assessment methodology for evaluating cybersecurity risks across its critical systems. Which of the following is the PRIMARY consideration when choosing between qualitative and quantitative approaches?

A.The skill level of the risk assessment team
B.The organization's risk appetite statement
C.Compliance with regulatory requirements
D.Availability of reliable numerical data for risk factors
AnswerD

Quantitative analysis relies on numerical data; if unavailable, qualitative is preferred.

Why this answer

The choice between qualitative and quantitative risk assessment hinges on the availability of reliable numerical data. Quantitative methods require precise, objective data (e.g., asset values, historical loss frequencies, exposure factors) to compute metrics like Annualized Loss Expectancy (ALE). Without such data, the results would be misleading, making qualitative approaches (using ordinal scales and expert judgment) more appropriate.

This is the primary technical gate, as it directly determines the feasibility and validity of the quantitative model.

Exam trap

The trap here is that candidates confuse 'primary consideration' with 'most important factor overall' and pick regulatory compliance (C), but the question specifically asks for the consideration that determines the choice between the two methodologies, which is data availability.

How to eliminate wrong answers

Option A is wrong because while team skill affects execution, it is not the primary consideration; a skilled team can adapt to either methodology, but the data foundation must exist first. Option B is wrong because the risk appetite statement guides risk acceptance thresholds, not the selection of a methodology; both qualitative and quantitative outputs can be mapped to appetite. Option C is wrong because regulatory requirements typically mandate a risk assessment process (e.g., NIST CSF, ISO 27001) but do not prescribe a specific methodology (qualitative vs. quantitative); compliance can be achieved with either.

120
Matchingmedium

Match each risk analysis formula to its component.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Asset value × exposure factor

Annual frequency of occurrence

SLE × ARO

Percentage of asset lost per incident

Why these pairings

Quantitative risk analysis uses these formulas to calculate expected loss.

121
MCQmedium

An organization recently experienced a data breach due to a misconfigured cloud storage bucket. As part of the IT risk assessment, which control should be prioritized to prevent recurrence?

A.Require management approval for all cloud storage changes.
B.Implement mandatory annual security awareness training for all employees.
C.Increase the frequency of third-party penetration testing.
D.Deploy automated cloud configuration scanning and remediation tools.
AnswerD

Automated scanning detects and often corrects misconfigurations in real-time, directly mitigating the root cause.

Why this answer

Option D is correct because automated cloud configuration scanning and remediation tools directly address the root cause of a misconfigured cloud storage bucket by continuously monitoring cloud infrastructure against security baselines (e.g., CIS benchmarks) and automatically correcting deviations. This prevents recurrence by catching misconfigurations in real time, rather than relying on manual approval processes or periodic testing that may miss transient changes.

Exam trap

The trap here is that candidates often choose Option A (management approval) because it seems like a strong administrative control, but CRISC emphasizes that preventive technical controls—especially automated ones—are prioritized over manual processes for recurring technical risks like cloud misconfigurations.

How to eliminate wrong answers

Option A is wrong because requiring management approval for all cloud storage changes introduces a manual bottleneck that does not prevent misconfigurations from being deployed; it only adds a review step that may still miss technical misconfigurations, especially in dynamic cloud environments with Infrastructure as Code (IaC). Option B is wrong because mandatory annual security awareness training, while valuable for general security hygiene, does not address the specific technical failure of a misconfigured cloud bucket—training cannot prevent automated or scripted misconfigurations that bypass human interaction. Option C is wrong because increasing the frequency of third-party penetration testing provides only periodic snapshots of security posture and cannot detect or remediate misconfigurations that occur between tests; it is a detective control, not a preventive one.

122
MCQhard

Based on the exhibit, what is the MOST significant risk exposure?

A.The policy does not include deny statements, so all access is allowed
B.The AdminRole can access both buckets
C.Public access to the public-bucket with no restrictions
D.The anonymous access to the confidential-bucket
AnswerC

Anyone (Principal: *) can get objects from the public-bucket, posing a data leakage risk.

Why this answer

Option C is correct because public access to the public-bucket with no restrictions means that anyone on the internet can read, write, or delete objects in that bucket. This is the most significant risk exposure because it directly exposes data to unauthorized users without any authentication or authorization controls, violating the principle of least privilege and potentially leading to data breaches or data loss.

Exam trap

The trap here is that candidates may focus on the absence of deny statements (Option A) or the presence of admin access (Option B) as the primary risk, but the most significant exposure is the unrestricted public access to the public-bucket, which directly violates data confidentiality.

How to eliminate wrong answers

Option A is wrong because the absence of deny statements does not automatically allow all access; access control policies in AWS S3 are evaluated based on the combination of bucket policies, IAM policies, and ACLs, and the default is to deny all access unless explicitly allowed. Option B is wrong because the AdminRole having access to both buckets is not inherently a risk; it is a legitimate administrative privilege that is expected and can be managed with proper controls. Option D is wrong because anonymous access to the confidential-bucket is not indicated in the exhibit; the exhibit shows that the confidential-bucket has a policy that denies anonymous access, so this option describes a scenario that does not exist.

123
MCQeasy

A company is conducting an IT risk assessment for the first time. Which of the following should be the FIRST step?

A.Identify all IT assets
B.Establish the risk assessment context
C.Analyze the likelihood and impact of threats
D.Implement mitigating controls
AnswerB

Establishing context is the initial step in the risk assessment process.

Why this answer

Before any risk assessment activities can begin, the organization must establish the context—defining the scope, risk appetite, criteria for risk evaluation, and the business objectives the assessment supports. Without this foundational step, subsequent identification of assets, threat analysis, or control implementation would lack alignment with business goals and could produce irrelevant or misleading results. This aligns with the ISACA Risk IT framework and the CRISC domain of IT Risk Assessment.

Exam trap

The trap here is that candidates often jump straight to identifying assets (Option A) because it seems like the most tangible first step, but they fail to recognize that without establishing context, the asset inventory may be scoped incorrectly or lack business alignment.

How to eliminate wrong answers

Option A is wrong because identifying all IT assets is a subsequent step that depends on knowing the scope and boundaries defined during context establishment; without context, asset identification may be incomplete or misaligned. Option C is wrong because analyzing likelihood and impact of threats occurs after threats and vulnerabilities have been identified, which itself follows context establishment and asset identification. Option D is wrong because implementing mitigating controls is a risk response activity that occurs only after risks have been assessed, evaluated, and a decision to treat them has been made.

124
MCQhard

During a risk assessment of a legacy system, the assessor finds that no control is currently in place. The inherent risk level is 'critical'. The residual risk will be:

A.Medium
B.Critical
C.High
D.Low
AnswerB

No controls mean residual risk remains critical.

Why this answer

Residual risk is the level of risk remaining after controls are applied. Since the scenario explicitly states that no control is currently in place, the residual risk remains identical to the inherent risk level, which is 'critical'. Therefore, the residual risk is also critical.

Exam trap

The trap here is that candidates may assume residual risk is always lower than inherent risk, forgetting that without any controls, residual risk equals inherent risk by definition.

How to eliminate wrong answers

Option A is wrong because 'Medium' would imply that some risk reduction has occurred, but with no controls applied, the risk cannot be lowered from critical to medium. Option C is wrong because 'High' suggests a partial reduction in risk, which is not possible when no control exists to mitigate the inherent critical risk. Option D is wrong because 'Low' would require effective controls to significantly reduce the risk, which is absent in this scenario.

125
MCQmedium

A retail company is assessing the risk of a POS malware attack. Which approach would BEST quantify the potential financial impact?

A.Vulnerability scanning and penetration testing
B.Annualized Loss Expectancy (ALE) calculation based on past incidents
C.Scenario analysis with input from business and IT stakeholders
D.Failure Mode and Effects Analysis (FMEA)
AnswerC

Scenario analysis provides tailored impact estimates.

Why this answer

Scenario analysis with input from business and IT stakeholders is the best approach because it allows the organization to model specific POS malware attack scenarios, incorporating both technical threat vectors (e.g., memory scraping of track data) and business context (e.g., PCI DSS fines, card reissuance costs, brand damage). This collaborative method produces a more accurate and contextualized financial impact estimate than purely historical or technical assessments, especially for emerging or evolving threats like POS malware.

Exam trap

The trap here is that candidates often choose B (ALE based on past incidents) because it appears quantitative and straightforward, but the question asks for the BEST approach to quantify potential financial impact for a specific threat (POS malware), where historical data is often sparse or irrelevant, making scenario analysis with stakeholder input more accurate and forward-looking.

How to eliminate wrong answers

Option A is wrong because vulnerability scanning and penetration testing identify technical weaknesses and exploit paths but do not quantify financial impact in monetary terms; they are risk identification tools, not impact quantification methods. Option B is wrong because Annualized Loss Expectancy (ALE) calculation based on past incidents assumes historical frequency and impact remain constant, which is unreliable for POS malware where attack vectors, detection capabilities, and regulatory penalties change rapidly; it also fails to account for unique business-specific factors. Option D is wrong because Failure Mode and Effects Analysis (FMEA) is a reliability engineering tool focused on identifying failure modes and their effects on system function, not on quantifying financial loss from a targeted cyberattack like POS malware; it lacks the business context and monetary valuation needed for financial impact assessment.

126
Multi-Selectmedium

Which TWO are characteristics of inherent risk?

Select 2 answers
A.Based on the effectiveness of current controls
B.Used to determine control gap
C.Risk level before controls
D.Risk level after controls
E.Based on the assumption that no controls exist
AnswersC, E

Inherent risk is without controls.

Why this answer

Inherent risk is defined as the risk level that exists before any controls are applied or considered. It represents the raw, untreated risk exposure that an organization would face if no mitigating actions were in place. This concept is foundational in risk assessment because it establishes the baseline against which the effectiveness of controls is measured.

Exam trap

The trap here is that candidates often confuse inherent risk with residual risk, mistakenly thinking that inherent risk includes the effect of existing controls, which is a common misconception tested in CRISC questions.

127
MCQeasy

During a risk assessment for a critical financial application, the IT risk manager identifies a vulnerability in the application's authentication module. The exploit would require authenticated access. Which risk rating is most appropriate if the vulnerability has a CVSS base score of 9.0, but the application is behind a strong firewall and requires two-factor authentication?

A.Medium, after considering the compensating controls
B.Low, because the application requires authenticated access
C.High, because CVSS base score is 9.0
D.Very high, due to the criticality of the application
AnswerA

Compensating controls reduce the likelihood of exploitation.

Why this answer

Option A is correct because the CVSS base score of 9.0 reflects the intrinsic severity of the vulnerability, but the final risk rating must incorporate compensating controls. The strong firewall and two-factor authentication (2FA) significantly reduce the likelihood of exploitation, as the attacker would need to bypass both network-level filtering and an additional authentication factor. In CRISC methodology, risk is a function of likelihood and impact; here, the controls lower the likelihood, resulting in a Medium residual risk rating despite the high base score.

Exam trap

The trap here is that candidates assume a high CVSS base score automatically dictates a High or Very High risk rating, ignoring the CRISC principle that risk must be evaluated after applying compensating controls and environmental modifiers.

How to eliminate wrong answers

Option B is wrong because requiring authenticated access does not automatically make the risk Low; the vulnerability still exists and could be exploited by an authenticated user, and the CVSS score already accounts for the attack vector (network) and complexity (low). Option C is wrong because the CVSS base score alone does not determine the final risk rating; it must be adjusted for environmental and compensating controls per the CVSS specification (e.g., modified attack vector, modified authentication). Option D is wrong because application criticality influences impact but not the final risk rating without considering likelihood; the compensating controls reduce the likelihood, so Very High is not appropriate.

128
MCQmedium

A risk register is being updated after a quarterly risk assessment. One risk has decreased in likelihood due to new controls. However, the risk score remains unchanged because the impact increased. What should the risk practitioner do?

A.Remove the risk from the register because it is under control
B.Recalculate the risk score using the new likelihood and impact values
C.Automatically accept the risk because likelihood decreased
D.Escalate to senior management for a new risk treatment plan
AnswerB

The risk score should be based on current likelihood and impact; if impact increased, the score may stay the same or increase.

Why this answer

The risk score is a function of both likelihood and impact. Even though new controls reduced likelihood, the increased impact means the overall risk level may remain unchanged. The correct action is to recalculate the risk score using the updated values to reflect the current risk posture accurately, as required by the risk assessment process.

Exam trap

The trap here is that candidates assume a decrease in likelihood automatically lowers the risk score, ignoring that a simultaneous increase in impact can offset that reduction, leading them to prematurely accept or escalate the risk without recalculating.

How to eliminate wrong answers

Option A is wrong because removing a risk from the register simply because it is 'under control' ignores the fact that the impact has increased, which could still result in an unacceptable residual risk; risks are removed only when they are fully mitigated or no longer relevant. Option C is wrong because automatically accepting a risk solely because likelihood decreased disregards the increased impact, which may push the risk beyond the organization's risk appetite; acceptance requires a formal decision based on the full risk profile. Option D is wrong because escalating to senior management for a new treatment plan is premature; the first step is to recalculate the risk score to determine if the risk level has actually changed, and only then decide if further treatment is needed.

129
MCQeasy

Which of the following is the BEST indicator that a risk assessment's results are reliable?

A.It is based on a standard framework such as ISO 31000.
B.It uses the most recent threat intelligence.
C.It includes both quantitative and qualitative methods.
D.It is performed by an external consultant.
AnswerB

Current threat intelligence ensures relevance and accuracy.

Why this answer

B is correct because the reliability of a risk assessment hinges on the accuracy and timeliness of its inputs. Using the most recent threat intelligence ensures that the assessment reflects the current threat landscape, including newly discovered vulnerabilities, active exploit campaigns, and emerging attack vectors. Without current intelligence, even a perfectly structured assessment will produce outdated risk scores that fail to represent actual exposure.

Exam trap

The trap here is that candidates often confuse methodological rigor (framework, mixed methods, or external objectivity) with data reliability, failing to recognize that the freshness and relevance of threat intelligence is the single most critical factor for producing trustworthy risk assessment results.

How to eliminate wrong answers

Option A is wrong because using a standard framework like ISO 31000 provides a structured methodology but does not guarantee that the underlying data (e.g., threat likelihood, asset values) is accurate or current; a framework is a process, not a data quality control. Option C is wrong because combining quantitative and qualitative methods improves comprehensiveness but does not address the timeliness or accuracy of the input data; both methods can produce unreliable results if fed stale or incorrect information. Option D is wrong because an external consultant may bring independence and expertise, but their work is still dependent on the quality of the threat intelligence and data they use; an external consultant using outdated intelligence is no more reliable than an internal team doing the same.

130
Multi-Selecthard

Which THREE factors should be considered when determining the inherent risk level of a new IT project prior to any controls?

Select 3 answers
A.Regulatory requirements governing the project's outcomes.
B.Past security incidents in similar projects.
C.Complexity of the project's technology stack.
D.Experience level of the project team.
E.Extent of external network connectivity.
AnswersA, C, E

Strict regulations increase the consequence of non-compliance, raising inherent risk.

Why this answer

Regulatory requirements (A) are a key factor in determining inherent risk because they impose mandatory compliance obligations that, if unmet, can result in legal penalties, fines, or operational shutdowns. For a new IT project, the inherent risk level is assessed based on the nature of the data processed and the applicable laws (e.g., GDPR, HIPAA, PCI DSS) before any controls are applied. This is a fundamental input to the risk assessment, as non-compliance risk exists independently of any security measures.

Exam trap

The trap here is that candidates often confuse inherent risk factors with control factors, mistakenly selecting team experience (D) or historical incidents (B) as inherent risk drivers, when in fact these are inputs for control effectiveness or residual risk assessment.

← PreviousPage 2 of 2 · 130 questions total

Ready to test yourself?

Try a timed practice session using only It Risk Assessment questions.