CCNA It Risk Identification Questions

75 of 124 questions · Page 1/2 · It Risk Identification topic · Answers revealed

1
Drag & Dropmedium

Arrange the steps for performing a risk assessment in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Risk assessment begins with asset identification, then threats/vulnerabilities, followed by likelihood and impact analysis, risk calculation, and documentation.

2
MCQmedium

Based on the exhibit, which of the following risks is MOST indicated by the policy configuration?

A.Exposure of web server to untrusted networks without encryption
B.Data exfiltration via MySQL from the internet
C.Unauthorized SSH access to the internal network
D.Policy misconfiguration causing low hits on rule 3
AnswerA

HTTP traffic is unencrypted and allowed from any source.

Why this answer

The policy configuration shows a rule allowing inbound HTTP/HTTPS traffic from the internet to a web server without any associated encryption requirement (e.g., no TLS enforcement or VPN). This directly exposes the web server to untrusted networks, making it vulnerable to man-in-the-middle attacks and data interception, which is the most significant risk indicated.

Exam trap

The trap here is that candidates focus on the specific service (HTTP/HTTPS) and overlook the lack of encryption as the primary risk, instead considering data exfiltration or unauthorized access as more obvious threats, but the policy explicitly permits unencrypted traffic from untrusted networks.

How to eliminate wrong answers

Option B is wrong because data exfiltration via MySQL from the internet would require a specific rule allowing MySQL traffic (port 3306) from the internet, which is not shown in the exhibit; the policy only permits HTTP/HTTPS. Option C is wrong because unauthorized SSH access to the internal network would require a rule allowing SSH traffic (port 22) from the internet, which is absent; SSH is typically blocked or restricted. Option D is wrong because policy misconfiguration causing low hits on rule 3 is a performance or tuning issue, not a risk; the question asks for the most indicated risk, and low hits do not represent a security exposure.

3
Multi-Selectmedium

Which THREE of the following are effective techniques for identifying IT risks?

Select 3 answers
A.Root cause analysis
B.Cost-benefit analysis
C.Brainstorming
D.Vulnerability scanning
E.SWOT analysis
AnswersC, D, E

Brainstorming is a common technique for risk identification.

Why this answer

Brainstorming is a structured group technique that leverages the collective expertise of stakeholders to identify a wide range of IT risks, including emerging threats and vulnerabilities that may not be captured by automated tools. It is effective because it encourages creative thinking and surfaces risks related to business processes, third-party dependencies, and human factors that are often missed by purely technical assessments.

Exam trap

The trap here is confusing risk identification techniques with risk analysis or risk treatment techniques, leading candidates to select root cause analysis (a post-incident technique) or cost-benefit analysis (a decision-making tool) instead of recognizing that brainstorming, vulnerability scanning, and SWOT analysis are all valid methods for initially identifying risks.

4
MCQhard

An organization is implementing a data classification scheme. Which of the following classification categories would be MOST effective for identifying risks related to intellectual property theft?

A.Restricted
B.Internal
C.Confidential
D.Public
AnswerC

Confidential is the standard category for sensitive business information.

Why this answer

Confidential data is the classification category specifically designed to protect sensitive information that, if disclosed, could cause significant harm to the organization, including intellectual property theft. In a data classification scheme, 'Confidential' typically applies to trade secrets, source code, and proprietary designs, making it the most effective category for identifying and mitigating risks related to IP theft.

Exam trap

The trap here is that candidates often confuse 'Restricted' with 'Confidential' due to military/government classification hierarchies, but in a corporate context, 'Confidential' is the standard category for intellectual property, while 'Restricted' is typically reserved for highly sensitive data like PII or PHI under GDPR or HIPAA.

How to eliminate wrong answers

Option A is wrong because 'Restricted' is often a higher classification than Confidential (e.g., in government or military contexts) and may be too narrow or not aligned with standard corporate IP protection tiers, potentially causing overclassification and operational friction. Option B is wrong because 'Internal' data is intended for internal use but does not imply the high level of sensitivity required for intellectual property; it typically covers general business communications and policies, not trade secrets. Option D is wrong because 'Public' data is explicitly intended for unrestricted disclosure and poses no risk of IP theft, as it is already in the public domain.

5
Multi-Selectmedium

Which TWO of the following are valid risk scenarios that should be documented during IT risk identification?

Select 2 answers
A.An employee may inadvertently share confidential data via email due to lack of data classification training.
B.The organization must comply with GDPR requirements for data protection.
C.An external attacker may exploit weak password policies to gain access to the email system and exfiltrate sensitive data.
D.The database server has not been patched for critical vulnerabilities.
E.The IT department will implement multi-factor authentication to reduce the risk of unauthorized access.
AnswersA, C

This is a risk scenario with threat, vulnerability, and impact.

Why this answer

Option A is correct because it describes a specific risk scenario: an employee inadvertently sharing confidential data via email due to lack of data classification training. This is a valid risk scenario as it identifies a threat (human error), a vulnerability (insufficient training), and a potential impact (data leakage). In IT risk identification, scenarios must be concrete and actionable, not just statements of compliance or controls.

Exam trap

The trap here is that candidates often mistake compliance requirements (option B) or control implementations (option E) for risk scenarios, but CRISC requires scenarios to describe specific threat events with a clear cause-effect chain, not static states or planned actions.

6
MCQmedium

An organization is planning to deploy an IoT solution in a manufacturing plant. The risk manager is asked to identify risks associated with the integration of IoT devices into the plant network. Which of the following techniques would be MOST effective for identifying both technical and operational risks?

A.Conduct a SWOT analysis of the IoT project
B.Facilitate a brainstorming session with IT, operational technology (OT), and safety teams
C.Interview the plant manager about operational challenges
D.Send a risk questionnaire to employees
AnswerB

Brainstorming with diverse teams identifies both technical and operational risks.

Why this answer

A brainstorming session that includes IT, operational technology (OT), and safety teams is the most effective technique because IoT integration creates a convergence of traditional IT risks (e.g., network segmentation, patch management) with OT-specific risks (e.g., real-time control system integrity, safety interlocks) and physical safety hazards. This cross-functional approach surfaces technical risks like unpatched firmware vulnerabilities in programmable logic controllers (PLCs) and operational risks such as unplanned downtime due to misconfigured device-to-controller communication protocols (e.g., Modbus/TCP without authentication).

Exam trap

ISACA often tests the misconception that a single-stakeholder interview or a generic analysis tool is sufficient for risk identification in converged IT/OT environments, when in reality the most effective technique requires collaborative input from all relevant technical and operational domains to capture the full spectrum of risks.

How to eliminate wrong answers

Option A is wrong because a SWOT analysis is a high-level strategic tool that identifies strengths, weaknesses, opportunities, and threats but lacks the granularity to uncover specific technical risks like insecure MQTT broker configurations or operational risks like loss of safety-critical sensor data. Option C is wrong because interviewing only the plant manager provides a narrow, managerial perspective that misses deep technical risks from OT engineers (e.g., legacy fieldbus vulnerabilities) and safety risks from safety engineers (e.g., failure modes of IoT-triggered emergency stops). Option D is wrong because a risk questionnaire sent to employees is a passive, one-way data collection method that cannot dynamically probe or clarify complex IoT-specific risks such as latency-induced control loop instability or interference between Wi-Fi and industrial wireless protocols like WirelessHART.

7
MCQeasy

A company is migrating its customer database to a public cloud provider. During the planning phase, which of the following is the MOST effective approach to identify risks specific to this migration?

A.Review industry risk reports for similar migrations
B.Rely on the cloud provider's published risk documentation
C.Perform a compliance checklist review
D.Conduct a threat modeling exercise focusing on the cloud architecture
AnswerD

Threat modeling identifies environment-specific threats like data exposure and misconfigurations.

Why this answer

Conducting a threat modeling exercise (D) is the most effective approach because it systematically identifies threats, vulnerabilities, and attack vectors specific to the cloud architecture, data flow, and trust boundaries of the migration. Unlike generic reviews, threat modeling (e.g., using STRIDE or PASTA) directly addresses the unique risks of moving a customer database to a public cloud, such as misconfigured access controls, insecure APIs, or data exposure during transit.

Exam trap

The trap here is that candidates often choose a compliance checklist (C) or industry reports (A) because they seem thorough and authoritative, but the CRISC exam emphasizes that risk identification must be proactive and architecture-specific, not reactive or generic.

How to eliminate wrong answers

Option A is wrong because industry risk reports provide aggregated, historical data that may not reflect the specific architecture, provider, or configuration of this migration, leading to missed context-sensitive risks. Option B is wrong because relying solely on the cloud provider's published risk documentation shifts responsibility and fails to account for the customer's own configuration errors, shared responsibility model gaps, or application-layer vulnerabilities. Option C is wrong because a compliance checklist review only verifies adherence to regulatory standards (e.g., GDPR, PCI DSS) but does not identify technical threats like privilege escalation, data leakage, or denial-of-service risks unique to the cloud deployment.

8
Multi-Selectmedium

Which TWO of the following are key risk identification techniques used to identify threats and vulnerabilities in IT systems? (Select exactly 2.)

Select 2 answers
A.Risk mitigation
B.Vulnerability scanning
C.Risk transfer
D.Threat modeling
E.Access control implementation
AnswersB, D

Vulnerability scanning identifies known vulnerabilities.

Why this answer

Vulnerability scanning is a key risk identification technique that systematically probes IT systems for known vulnerabilities, such as unpatched software or misconfigurations, using tools like Nessus or OpenVAS. It directly identifies weaknesses that could be exploited by threats, making it essential for the risk identification phase.

Exam trap

The trap here is confusing risk identification techniques (like scanning and modeling) with risk response strategies (like mitigation, transfer, or control implementation), leading candidates to select options that are actually post-identification actions.

9
MCQeasy

An organization uses a third-party SaaS provider for payroll processing. Which of the following is the BEST technique to identify risks associated with this vendor?

A.Request a penetration test report from the vendor
B.Check online user reviews and ratings
C.Read the vendor's marketing materials and case studies
D.Review the vendor's SOC 2 Type II report and conduct an on-site assessment
AnswerD

SOC 2 provides independent assurance; site visit validates controls.

Why this answer

The SOC 2 Type II report provides an independent auditor's assessment of the vendor's controls over security, availability, processing integrity, confidentiality, and privacy over a period of time, which is critical for identifying risks in a payroll SaaS processing sensitive employee data. An on-site assessment allows the organization to verify physical and logical controls, observe operations, and discuss specific risk scenarios directly with vendor personnel, offering a deeper risk identification than any single document or review.

Exam trap

The trap here is that candidates often overvalue a penetration test report (Option A) as the definitive risk identification tool, forgetting that for a SaaS payroll provider, operational and compliance risks (e.g., data privacy, availability, change management) are equally or more critical than pure technical vulnerabilities.

How to eliminate wrong answers

Option A is wrong because a penetration test report, while useful for identifying technical vulnerabilities, is a point-in-time assessment that does not cover the full breadth of operational, privacy, and compliance controls needed for a payroll processor handling sensitive personal data. Option B is wrong because online user reviews and ratings are anecdotal, lack technical depth, and are not a reliable or auditable source for identifying specific control weaknesses or compliance gaps. Option C is wrong because marketing materials and case studies are promotional content designed to highlight successes, not to disclose risks, control failures, or security incidents.

10
MCQeasy

Refer to the exhibit. During a risk identification review, the risk manager sees this IDS alert. What risk does this alert MOST directly indicate?

A.Sensitive data is being exfiltrated from the SQL server.
B.A malware infection is spreading across the network.
C.The organization is under a distributed denial-of-service (DDoS) attack.
D.An internal SQL server is exposed to the internet and may be probed for vulnerabilities.
AnswerD

Alert shows external IP probing internal MSSQL server, indicating internet exposure.

Why this answer

The IDS alert indicates an inbound connection attempt to TCP port 1433 (Microsoft SQL Server) from an external IP address. This directly suggests that an internal SQL server is exposed to the internet, which is a security misconfiguration that allows external entities to probe for vulnerabilities, such as weak credentials or unpatched flaws. While data exfiltration or malware could be subsequent outcomes, the alert itself most immediately signals the exposure and probing risk.

Exam trap

The trap here is that candidates may conflate a single IDS alert indicating exposure with a full-blown attack outcome (exfiltration, malware, DDoS), rather than recognizing that the alert most directly signals the underlying misconfiguration risk of internet-facing internal services.

How to eliminate wrong answers

Option A is wrong because the alert only shows a connection attempt to port 1433, not any evidence of data transfer or exfiltration; exfiltration would require additional indicators like large outbound data flows or SQL query patterns. Option B is wrong because the alert does not show lateral movement, propagation behavior, or malware signatures; a single inbound connection to a database port is not indicative of a spreading infection. Option C is wrong because a DDoS attack would involve a high volume of traffic from multiple sources overwhelming bandwidth or services, not a single SYN packet to a specific database port.

11
MCQmedium

A company is migrating its legacy on-premises applications to a public cloud environment. Which risk identification technique is most appropriate for this scenario?

A.Control self-assessment
B.Threat modeling
C.SWOT analysis
D.Business impact analysis (BIA)
AnswerB

Threat modeling systematically identifies threats and vulnerabilities in system architecture, making it ideal for migration projects.

Why this answer

Threat modeling is the most appropriate risk identification technique for migrating legacy on-premises applications to a public cloud environment because it systematically identifies potential security threats, vulnerabilities, and attack vectors specific to the new cloud architecture. This technique evaluates how the application's design, data flows, and trust boundaries change when moved to a cloud provider like AWS, Azure, or GCP, enabling proactive mitigation of risks such as misconfigured storage, insecure APIs, or compromised identity management.

Exam trap

The trap here is that candidates often confuse SWOT analysis (a business strategy tool) with a technical risk identification technique, or mistakenly think control self-assessment is sufficient for identifying new risks in a fundamentally different architecture like cloud.

How to eliminate wrong answers

Option A is wrong because control self-assessment is a subjective evaluation of existing controls by internal staff, which is not designed to identify new risks arising from a technology migration like cloud adoption. Option C is wrong because SWOT analysis is a high-level strategic planning tool that assesses strengths, weaknesses, opportunities, and threats at an organizational level, not a technical risk identification method for specific application migration scenarios. Option D is wrong because business impact analysis (BIA) focuses on quantifying the impact of disruptions to critical business functions, not on identifying technical threats or vulnerabilities in a new cloud environment.

12
MCQhard

A financial institution is migrating its core banking system from an on-premises data center to a public cloud infrastructure. The migration is planned in phases over 18 months. The IT risk manager is tasked with identifying risks during the transition. During the first phase, the team moves non-critical applications to the cloud. A vulnerability assessment of the cloud environment reveals that several virtual machines have default administrative credentials enabled. Additionally, the cloud security group configuration for the application tier allows inbound SSH from the entire internet (0.0.0.0/0). The risk manager also learns that the cloud provider's shared responsibility model is not fully understood by the operations team, who believe the provider is responsible for all security controls. The institution's risk appetite statement allows for moderate risk tolerance but prohibits any exposure that could lead to unauthorized access to customer financial data. Which of the following risk scenarios should the risk manager identify as the MOST critical to address immediately?

A.The operations team's misunderstanding of the shared responsibility model
B.The cloud provider may not have adequate security controls for the institution's data
C.The phased migration introduces complexity that may cause configuration drift
D.Default credentials on virtual machines combined with unrestricted inbound SSH from the internet
AnswerD

Direct and immediate risk of unauthorized access to systems handling sensitive data.

Why this answer

Correct: C. The combination of default credentials and open SSH access creates an immediate and exploitable vulnerability that could lead to unauthorized access to the application tier, potentially compromising customer data. This directly violates the risk appetite.

A is a general issue but less immediate. B is important but not as critical as C. D is correct but not the most immediate.

13
MCQeasy

Based on the exhibit, what risk does this database error MOST directly indicate?

A.Risk of data inconsistency due to concurrency issues
B.SQL injection vulnerability
C.Unauthorized access to employee records
D.Insufficient disk space for transactions
AnswerA

Deadlocks can cause partial updates and data inconsistency.

Why this answer

The database error indicates a concurrency control failure, such as a deadlock or serialization anomaly, which directly leads to data inconsistency when multiple transactions execute simultaneously without proper isolation. This is a classic risk in multi-user database environments where ACID properties are violated, resulting in lost updates or dirty reads.

Exam trap

The trap here is that candidates confuse a database concurrency error with security vulnerabilities like SQL injection, but the error message and context point to transaction management failures rather than input validation or access control issues.

How to eliminate wrong answers

Option B is wrong because SQL injection is an application-layer attack exploiting unsanitized input, not a database concurrency error. Option C is wrong because unauthorized access involves authentication or authorization failures, not transaction-level conflicts. Option D is wrong because insufficient disk space would cause transaction failures or write errors, not the concurrency-specific error shown in the exhibit.

14
MCQeasy

A risk manager is identifying risks for a new mobile payment application. The application will use end-to-end encryption. Which of the following is the BEST source of risk information for identifying potential threats?

A.Industry benchmark risk assessments from similar organizations
B.Threat intelligence feeds specific to the financial services sector
C.Previous internal audit reports on legacy applications
D.Vendor-provided security white papers for the encryption product
AnswerB

Threat intelligence provides current, relevant threat information for risk identification.

Why this answer

Threat intelligence feeds specific to the financial services sector provide real-time, contextualized information about emerging threats, attack patterns, and vulnerabilities targeting mobile payment systems. Since the application uses end-to-end encryption, the risk manager needs to identify threats that could bypass or undermine encryption (e.g., side-channel attacks, key interception, or man-in-the-middle attacks on the handshake), which generic or historical sources would not capture. This source is the best because it is current, sector-specific, and directly relevant to the technology stack.

Exam trap

The trap here is that candidates confuse 'historical internal data' (Option C) or 'generic benchmarks' (Option A) as reliable for risk identification, when in fact only current, external, and sector-specific threat intelligence can identify emerging threats that bypass encryption or target the application's unique implementation.

How to eliminate wrong answers

Option A is wrong because industry benchmark risk assessments from similar organizations are historical and aggregated, lacking the specificity to identify novel threats targeting a new mobile payment application with end-to-end encryption; they may also be outdated by the time of use. Option C is wrong because previous internal audit reports on legacy applications focus on past vulnerabilities and controls for older systems, which do not reflect the unique attack surface of a new mobile payment app using modern encryption protocols like TLS 1.3 or E2EE. Option D is wrong because vendor-provided security white papers for the encryption product are promotional and biased, often omitting real-world threat scenarios or zero-day vulnerabilities that could affect the application's specific implementation.

15
Multi-Selectmedium

A healthcare organization is migrating its electronic health records (EHR) system to a public cloud. The risk manager identifies several risks. Which TWO of the following are the MOST significant risks related to data privacy and regulatory compliance?

Select 2 answers
A.Potential for service downtime affecting patient care.
B.Data residency and jurisdiction issues.
C.Loss of control over the cloud provider's internal access controls.
D.Insufficient encryption of data at rest and in transit.
E.Vendor lock-in due to proprietary APIs.
AnswersB, D

Data may be stored in countries with inadequate privacy laws.

Why this answer

Data residency and jurisdiction issues (B) are a top risk because healthcare data is subject to strict regulations like HIPAA and GDPR, which may require data to remain within specific geographic boundaries. Migrating EHRs to a public cloud can inadvertently place data in regions with different legal protections, exposing the organization to non-compliance and legal penalties.

Exam trap

The trap here is that candidates often confuse operational risks (like downtime) or general security risks (like access control) with the specific regulatory and privacy risks that are most significant for healthcare data in the cloud, while overlooking the foundational compliance requirements of data residency and encryption.

16
Multi-Selectmedium

Which TWO of the following are recognized techniques for identifying IT risks? (Select exactly 2.)

Select 2 answers
A.ROI calculation
B.Brainstorming sessions
C.Benchmarking against industry peers
D.Threat modeling
E.SWOT analysis
AnswersB, D

Brainstorming with stakeholders generates risk ideas.

Why this answer

Brainstorming sessions (B) are a recognized technique for IT risk identification because they leverage the collective expertise of stakeholders to surface potential threats, vulnerabilities, and risk scenarios in a structured or unstructured group setting. This method is specifically cited in ISACA's CRISC Review Manual as a qualitative risk identification approach, often used during the early stages of risk assessment to generate a comprehensive list of risks without requiring quantitative data.

Exam trap

The trap here is that candidates often confuse strategic or financial analysis tools (like SWOT or ROI) with risk identification techniques, but CRISC specifically requires methods that directly uncover threats and vulnerabilities, such as brainstorming and threat modeling, rather than high-level planning or performance metrics.

17
MCQhard

Refer to the exhibit. What is the PRIMARY risk identified from this policy?

A.Unrestricted public read access to confidential data
B.Inadequate logging
C.Lack of encryption for data at rest
D.Missing versioning
AnswerA

The policy grants read access to anyone on the internet.

Why this answer

The policy statement 'All S3 buckets must be private by default' directly addresses the risk of public read access to confidential data. If a bucket is misconfigured as public, anyone on the internet can read its objects without authentication, leading to a data breach. This is the primary risk because the policy explicitly targets preventing unauthorized public exposure.

Exam trap

The trap here is that candidates may confuse the primary risk (public read access to data) with secondary risks like logging or encryption, but the policy's explicit focus on 'private by default' directly targets unauthorized public exposure.

How to eliminate wrong answers

Option B is wrong because inadequate logging is a separate operational risk (e.g., missing CloudTrail or S3 server access logs), not the primary risk from a bucket being public. Option C is wrong because lack of encryption for data at rest (e.g., SSE-S3 vs. SSE-KMS) is a different security control; a private bucket with no encryption still prevents public read access.

Option D is wrong because missing versioning (e.g., S3 Versioning disabled) is a data protection and recovery risk, not directly related to public read access.

18
MCQmedium

A risk manager is identifying risks for an organization that uses a hybrid cloud environment. The organization stores sensitive data on-premises and in the cloud. Which of the following is the MOST effective method for identifying risks related to data residency and compliance?

A.Conduct a penetration test of the cloud environment
B.Review data flow diagrams and legal requirements for each jurisdiction
C.Perform a configuration review of cloud security settings
D.Review the cloud provider's SOC 2 report
AnswerB

This identifies data movement and regulatory compliance risks.

Why this answer

Reviewing data flow diagrams alongside legal requirements for each jurisdiction is the most effective method because it directly maps where sensitive data resides, transits, and is processed across on-premises and cloud environments, enabling precise identification of residency and compliance gaps. This approach aligns with CRISC's emphasis on risk identification through understanding data lineage and regulatory obligations, rather than relying on post-deployment security tests or generic reports.

Exam trap

The trap here is that candidates confuse security testing (penetration tests, configuration reviews) with compliance risk identification, overlooking that data residency and legal requirements demand a process-oriented review of data flows and jurisdictional rules, not just technical controls.

How to eliminate wrong answers

Option A is wrong because a penetration test assesses security vulnerabilities (e.g., misconfigurations, exploit paths) but does not evaluate data residency or compliance with jurisdictional laws like GDPR or CCPA. Option C is wrong because a configuration review of cloud security settings checks for technical controls (e.g., encryption, IAM policies) but cannot reveal whether data storage locations violate specific residency requirements. Option D is wrong because a SOC 2 report provides assurance on a cloud provider's controls (e.g., security, availability) but does not detail data flow paths or legal compliance for each jurisdiction where data resides.

19
MCQeasy

An organization is implementing a new identity and access management (IAM) system. The risk manager is tasked with identifying risks associated with the migration from legacy authentication to single sign-on (SSO). Which of the following is the GREATEST risk during this migration?

A.Users may reuse strong passwords across multiple systems.
B.Users may experience increased convenience, leading to reduced security awareness.
C.Legacy authentication accounts may remain active, creating orphan accounts.
D.Help desk call volumes may increase due to SSO authentication failures.
AnswerC

Orphan accounts are a high-risk security issue if not disabled.

Why this answer

Option D is correct because legacy accounts that are not disabled after migration become unmanaged orphan accounts, posing a significant security risk. Option A is wrong because increased user convenience is a benefit, not a risk. Option B is wrong while password reuse is a risk, it is less severe than orphan accounts.

Option C is wrong because SSO typically reduces help desk calls for password resets.

20
MCQhard

During a risk assessment, an organization identifies that its remote workforce uses personal devices for work. The risk manager is concerned about data leakage. The organization has a risk appetite that is 'moderate' and wants to treat the risk. Which of the following is the MOST effective risk treatment option?

A.Implement a VPN for remote access
B.Require full disk encryption on all personal devices
C.Implement a Mobile Device Management (MDM) policy with containerization
D.Ban the use of personal devices for work
AnswerC

MDM with containerization provides a secure work environment on personal devices.

Why this answer

Option C is the most effective because MDM with containerization creates a separate, encrypted work profile on the personal device, isolating corporate data from personal apps and data. This directly addresses data leakage by enforcing security policies (e.g., remote wipe of the work container only) without requiring full control over the entire device, aligning with a 'moderate' risk appetite that seeks a balance between security and usability.

Exam trap

The trap here is that candidates often confuse 'encryption' (Option B) with 'data leakage prevention'—full disk encryption protects data at rest but does not control data flow between apps or enable selective wipe, making it less effective than containerization for a moderate risk appetite where usability and privacy are key considerations.

How to eliminate wrong answers

Option A is wrong because a VPN only encrypts data in transit between the device and the corporate network; it does not protect data at rest on the device, so if the device is lost or compromised, stored corporate data remains vulnerable to leakage. Option B is wrong because requiring full disk encryption on all personal devices is overly invasive for a moderate risk appetite—it encrypts the entire device, including personal data, and does not provide granular control over corporate data (e.g., selective wipe), potentially violating user privacy and causing resistance. Option D is wrong because banning personal devices outright is a risk avoidance strategy, not a treatment; it may reduce productivity and employee satisfaction, and it fails to address the organization's need to support a remote workforce while managing risk at an acceptable level.

21
MCQmedium

A large healthcare organization is implementing a new electronic health record (EHR) system. During the risk identification process, the risk team discovers that the EHR vendor has a history of minor security incidents but has always resolved them quickly. The vendor’s data center is located in a region prone to earthquakes. Additionally, the EHR system will integrate with several legacy systems that have known vulnerabilities. The project sponsor is keen to proceed and believes the vendor is reputable. The risk team needs to ensure all relevant risks are identified and documented. Which of the following should be the PRIORITY for the risk team?

A.Conduct a detailed assessment of the vendor's business continuity and disaster recovery plans, especially regarding natural disasters.
B.Request the vendor to patch the legacy system vulnerabilities before integration.
C.Focus on contractual indemnification clauses to transfer risk.
D.Accept the residual risk after implementing basic controls.
AnswerA

BCP/DR assessment addresses the earthquake risk directly.

Why this answer

The vendor's data center is in an earthquake-prone region, and the vendor has a history of minor security incidents. This creates a significant risk of service disruption that could impact patient safety and data availability. Prioritizing a detailed assessment of the vendor's business continuity and disaster recovery (BC/DR) plans ensures that the organization understands the vendor's ability to maintain operations and recover data in a disaster scenario, which is a fundamental risk identification activity before any mitigation or acceptance decisions.

Exam trap

The trap here is that candidates may focus on the legacy system vulnerabilities (Option B) because they are a known technical issue, but the question specifically prioritizes the vendor's data center risk, which is a higher-level business continuity concern that could render all other controls irrelevant if the vendor's site goes offline.

How to eliminate wrong answers

Option B is wrong because the legacy system vulnerabilities are owned by the healthcare organization, not the vendor; requesting the vendor to patch them is outside the vendor's responsibility and does not address the immediate risk of the vendor's data center location. Option C is wrong because focusing on contractual indemnification clauses is a risk transfer strategy that occurs after risks are fully identified and assessed, not a priority during the risk identification phase. Option D is wrong because accepting residual risk after implementing basic controls is premature; the risk team must first identify and analyze all relevant risks, including the vendor's BC/DR capabilities, before any acceptance decision can be made.

22
MCQmedium

A financial institution uses a third-party cloud service for data analytics. The service has access to non-public personal information (NPI). During a risk assessment, the risk manager discovers that the cloud provider uses subprocessors without notifying the institution. The contract does not require notification of subprocessor changes. What should the risk manager do FIRST?

A.Notify the vendor of the contract breach and request a list of all subprocessors and their compliance certifications.
B.Report the incident to the data protection authority as a breach of contract.
C.Accept the risk since the vendor remains SOC 2 Type II certified.
D.Terminate the contract immediately to mitigate the risk of unauthorized data access.
AnswerA

First, understand the risk by obtaining information on subprocessors.

Why this answer

Option A is correct because immediate termination may disrupt operations; the first step should be to notify the vendor of the breach and request a list of subprocessors to assess risk. Option B is wrong because immediately terminating the contract could cause significant business disruption. Option C is wrong because the risk manager should first gather information.

Option D is wrong because accepting risk without understanding the subprocessors' controls is not prudent.

23
MCQhard

A financial institution is integrating a new cloud-based analytics platform that will process sensitive customer data. The project team is conducting risk identification. Which technique would be MOST effective for identifying risks related to the integration of this platform with existing on-premises systems?

A.Vulnerability scanning of the cloud platform's API endpoints.
B.Brainstorming sessions with the project team.
C.Threat modeling of the integration architecture.
D.SWOT analysis to assess strengths, weaknesses, opportunities, and threats.
AnswerC

Threat modeling systematically identifies threats to the integration points, such as data flow, trust boundaries, and authentication.

Why this answer

Threat modeling of the integration architecture is the most effective technique because it systematically identifies potential security threats, attack vectors, and vulnerabilities specific to the data flows, trust boundaries, and API interactions between the cloud-based analytics platform and existing on-premises systems. Unlike generic methods, threat modeling (e.g., STRIDE or PASTA) focuses on the unique integration points, such as authentication handshakes, data-in-transit encryption (TLS 1.2/1.3), and session management, which are critical for protecting sensitive customer data during integration.

Exam trap

The trap here is that candidates often choose vulnerability scanning (Option A) because they mistakenly believe that scanning API endpoints is sufficient for integration risk identification, but vulnerability scanning only finds known flaws in the API code, not architectural threats like insecure data flows or trust boundary violations that threat modeling uniquely addresses.

How to eliminate wrong answers

Option A is wrong because vulnerability scanning of the cloud platform's API endpoints is a reactive, point-in-time assessment that only identifies known software vulnerabilities (e.g., CVEs) in the API implementation, but it does not proactively analyze the overall integration architecture, data flows, or trust boundaries between cloud and on-premises systems. Option B is wrong because brainstorming sessions with the project team, while useful for generating ideas, lack a structured methodology and can miss subtle, architecture-specific threats like privilege escalation via misconfigured cross-origin resource sharing (CORS) or insecure direct object references (IDOR) in the integration layer. Option D is wrong because SWOT analysis is a high-level strategic planning tool that assesses strengths, weaknesses, opportunities, and threats at a business or project level, but it does not provide the technical depth needed to identify specific integration risks such as API gateway misconfigurations, token replay attacks, or data leakage through logging.

24
MCQhard

Refer to the exhibit. What risk is introduced by this IAM policy?

A.Misconfigured encryption
B.Lack of logging
C.Excessive permissions
D.Weak authentication
AnswerC

The policy grants full access to all resources, creating a risk of privilege abuse.

Why this answer

The IAM policy grants `s3:*` actions on all S3 resources (`"Resource": "*"`), which allows any user or service assuming this role to perform any S3 operation, including deleting buckets, modifying permissions, or accessing all objects. This violates the principle of least privilege and introduces the risk of excessive permissions, as the policy does not restrict actions or resources to only what is necessary for the intended function.

Exam trap

The trap here is that candidates may focus on the absence of encryption or logging keywords in the policy, but the core risk is the overly broad action and resource scope, which is a classic excessive permissions vulnerability.

How to eliminate wrong answers

Option A is wrong because the policy does not reference encryption settings, KMS keys, or any condition that would misconfigure encryption; the risk is about authorization scope, not data protection configuration. Option B is wrong because the policy does not disable or omit logging settings; CloudTrail or S3 server access logging are independent of IAM policy statements and are not addressed here. Option D is wrong because the policy does not define authentication mechanisms, password policies, or MFA requirements; it only specifies allowed actions and resources after authentication has already occurred.

25
MCQmedium

An organization wants to identify risks related to third-party vendors. Which approach best supports continuous risk identification?

A.Contractual clauses requiring self-assessment
B.On-site audits every two years
C.Automated monitoring of vendor security controls via a third-party risk platform
D.Annual vendor risk assessments
AnswerC

Automated monitoring provides continuous insight into vendor security posture.

Why this answer

Automated monitoring via a third-party risk platform enables continuous, real-time visibility into vendor security controls, such as firewall rule changes, vulnerability scan results, and compliance posture. This approach aligns with the CRISC principle of ongoing risk identification, as it detects changes in risk exposure between formal assessment cycles without relying on periodic snapshots.

Exam trap

The trap here is that candidates often choose periodic assessments (A, B, or D) because they seem thorough, but CRISC emphasizes continuous risk identification over point-in-time reviews, and automated monitoring is the only option that provides real-time, ongoing visibility.

How to eliminate wrong answers

Option A is wrong because contractual clauses requiring self-assessment rely on vendor-reported data, which may be outdated, incomplete, or biased, and do not provide continuous or independent verification. Option B is wrong because on-site audits every two years are infrequent, static snapshots that miss interim changes in vendor environments, such as new vulnerabilities or configuration drift. Option D is wrong because annual vendor risk assessments are periodic and cannot capture risks that emerge between assessments, such as zero-day exploits or rapid cloud infrastructure changes.

26
MCQmedium

During a review of third-party vendor risks, the risk team identifies that a cloud service provider's data center is located in a country with unstable political conditions. What should the risk practitioner do FIRST?

A.Document the risk and assess its potential impact.
B.Accept the risk based on the vendor's SLA.
C.Request the vendor to move data to another region.
D.Terminate the contract immediately.
AnswerA

Proper risk management starts with documentation and assessment.

Why this answer

The risk practitioner's first step should be to document the identified risk and assess its potential impact on the organization. This aligns with the CRISC framework's emphasis on risk identification and assessment before any treatment decisions are made. Without a thorough impact assessment, the organization cannot determine whether the risk is acceptable, requires mitigation, or warrants contract termination.

Exam trap

The trap here is that candidates may jump to a risk treatment action (accept, mitigate, or terminate) without first completing the foundational step of documenting and assessing the risk.

How to eliminate wrong answers

Option B is wrong because accepting a risk based solely on a vendor's SLA is premature without first assessing the actual impact and likelihood of the political instability affecting the data center's operations. Option C is wrong because requesting the vendor to move data to another region is a risk mitigation action that should only be considered after the risk has been documented and assessed. Option D is wrong because terminating the contract immediately is an extreme response that bypasses the necessary risk assessment and evaluation of alternative treatments.

27
MCQmedium

A company operates a legacy system for which the vendor no longer provides security patches. What is the most critical risk to identify regarding this system?

A.Unpatched vulnerabilities
B.Incompatibility with new systems
C.Lack of vendor support
D.Skill shortage for maintenance
AnswerA

Without patches, all known vulnerabilities remain exploitable, posing a high risk.

Why this answer

Unpatched vulnerabilities are the most critical risk because the legacy system is exposed to known exploits that the vendor no longer addresses. Without security patches, attackers can leverage published CVEs to compromise the system, leading to data breaches or system takeover. This directly threatens the confidentiality, integrity, and availability of the system and its data.

Exam trap

The trap here is that candidates confuse the root cause (lack of vendor support) with the actual risk (unpatched vulnerabilities), leading them to select 'Lack of vendor support' instead of identifying the direct security exposure.

How to eliminate wrong answers

Option B is wrong because incompatibility with new systems is an operational or integration risk, not a security risk, and is less critical than unpatched vulnerabilities. Option C is wrong because lack of vendor support is a contributing factor to the risk, not the risk itself; the core issue is the resulting unpatched vulnerabilities. Option D is wrong because skill shortage for maintenance is a resource risk that affects the ability to manage the system, but it does not directly expose the system to exploitation like unpatched vulnerabilities do.

28
MCQeasy

Which of the following is the BEST example of a key risk indicator (KRI) for the risk of unauthorized access to sensitive data?

A.Average server uptime
B.Number of firewalls deployed
C.Percentage of users with access to sensitive data
D.Number of security awareness trainings completed
AnswerC

A high percentage indicates a larger attack surface for unauthorized access.

Why this answer

Option C is correct because a KRI must directly measure the likelihood or impact of a specific risk. The percentage of users with access to sensitive data is a direct indicator of the attack surface for unauthorized access; a higher percentage increases the probability that an unauthorized user could gain access, making it a leading indicator for that risk.

Exam trap

The trap here is confusing a control metric (e.g., number of firewalls or training completions) with a risk indicator; candidates often pick options that sound security-related but fail to directly measure the risk event's likelihood or impact.

How to eliminate wrong answers

Option A is wrong because average server uptime is an operational metric for availability, not a risk indicator for unauthorized access; it does not measure who can access data or how access controls are configured. Option B is wrong because the number of firewalls deployed is a control metric (a count of security devices), not a KRI; it does not indicate the effectiveness of access controls or the actual exposure of sensitive data. Option D is wrong because the number of security awareness trainings completed is a compliance or activity metric; it measures training completion, not the actual risk of unauthorized access, and does not reflect whether users are following access policies.

29
MCQhard

A multinational corporation is expanding its cloud infrastructure to include a new SaaS application that stores sensitive customer data. The vendor claims compliance with SOC 2 Type II and ISO 27001. The risk manager must determine if the remaining residual risk after vendor controls is within the company's risk appetite. Which of the following is the MOST critical next step?

A.Request the vendor's latest risk assessment report.
B.Conduct a data classification and legal review to identify applicable regulatory obligations.
C.Perform a pilot deployment and monitor for security incidents.
D.Accept the vendor's certifications as sufficient evidence of control effectiveness.
AnswerB

Data classification and legal review determine if additional controls are needed.

Why this answer

Option B is correct because understanding the data classification and regulatory requirements determines if additional controls are needed beyond the vendor's certifications. Option A is wrong because certifications alone do not guarantee all risks are addressed. Option C is wrong because the vendor's own risk assessment may not consider the company's specific requirements.

Option D is wrong because a pilot does not assess regulatory compliance.

30
MCQmedium

A company is conducting a risk assessment of a critical third-party service provider. Which of the following is the BEST source of information to identify risks associated with the provider's sub-processors?

A.The provider's documented vendor risk management program and audit reports of sub-processors
B.Service level agreements in the contract
C.SOC 2 Type II reports of the primary provider
D.Public announcements of data breaches involving the provider
AnswerA

This directly addresses sub-processor risk identification.

Why this answer

The provider's documented vendor risk management program and audit reports of sub-processors are the best source because they directly detail the controls, security posture, and compliance status of the sub-processors. This information is specific to the sub-processors' operations, unlike general reports or contracts that may not cover their unique risks. It enables the company to assess third-party and fourth-party risks as part of a comprehensive IT risk identification process.

Exam trap

The trap here is that candidates often choose SOC 2 Type II reports of the primary provider (Option C) thinking they cover all downstream risks, but they typically exclude sub-processor controls unless specifically scoped.

How to eliminate wrong answers

Option B is wrong because service level agreements (SLAs) define performance and availability metrics, not the security controls or risk posture of sub-processors; they are contractual, not evidence-based. Option C is wrong because SOC 2 Type II reports of the primary provider cover the primary provider's controls, not those of its sub-processors, and may exclude sub-processor operations entirely. Option D is wrong because public announcements of data breaches are reactive and historical, not a proactive source for identifying current risks associated with sub-processors.

31
MCQhard

Refer to the exhibit. A risk manager is reviewing IAM policies for an S3 bucket used for sensitive data. This policy allows which of the following?

A.Any user to read (GetObject) from the bucket
B.Any user to write (PutObject) to the bucket from any IP address
C.Users from the internal network (10.0.0.0/8) to write (PutObject) to the bucket
D.Users from the internal network to read (GetObject) from the bucket
AnswerC

The policy allows PutObject only from internal IPs.

Why this answer

Option C is correct because the policy statement includes a condition that restricts the s3:PutObject action to requests originating from the 10.0.0.0/8 IP range, and the principal is set to '*' (any authenticated user), meaning only authenticated users from the internal network can write to the bucket. The policy does not grant GetObject permissions, so reads are not allowed.

Exam trap

The trap here is that candidates often assume a policy with 'Principal': '*' allows anonymous access, but in S3 bucket policies, '*' means any authenticated AWS user unless the policy explicitly includes a 'NotPrincipal' or the bucket is configured for public access; additionally, the condition on source IP is easy to overlook, leading to the mistaken belief that writes are allowed from any IP.

How to eliminate wrong answers

Option A is wrong because the policy does not include any statement allowing s3:GetObject; it only grants s3:PutObject, so any user cannot read from the bucket. Option B is wrong because the policy includes a condition using aws:SourceIp to restrict PutObject to the 10.0.0.0/8 range, so it does not allow writes from any IP address. Option D is wrong because the policy does not grant s3:GetObject at all, so users from the internal network cannot read from the bucket.

32
MCQhard

An international bank is expanding its operations into a new country with strict data localization laws. The IT department plans to use a cloud service provider that stores data in neighboring countries but promises compliance. The risk team has identified several potential risks: regulatory fines for non-compliance, data interception during cross-border transmission, and difficulty in auditing the cloud provider. The legal team advises that the contract includes data protection clauses, but these have not been tested. The risk manager must now prioritize risk identification efforts. What is the MOST important risk identification step the risk team should undertake?

A.Review the cloud provider's SOC 2 report.
B.Conduct a thorough legal review of the contract's data handling clauses.
C.Perform a regulatory compliance assessment specific to the new country's laws.
D.Map data flows to ensure all data is properly classified.
AnswerC

Understanding legal requirements is foundational.

Why this answer

Option C is correct because the most critical risk identification step when entering a new country with strict data localization laws is to perform a regulatory compliance assessment specific to that country's laws. This ensures the bank understands the exact legal requirements for data storage, processing, and transfer, which directly informs whether the cloud provider's promised compliance is achievable. Without this assessment, the risk team cannot accurately identify the scope and severity of regulatory fines or other legal risks.

Exam trap

The trap here is that candidates often choose Option B (legal review of contract) because they assume contractual clauses are the primary risk mitigation, but the question asks for risk identification, and without first understanding the local law, the contract's adequacy cannot be evaluated.

How to eliminate wrong answers

Option A is wrong because reviewing the cloud provider's SOC 2 report focuses on internal controls and security practices, not on compliance with specific data localization laws of the new country; SOC 2 reports are based on AICPA trust service criteria and do not address jurisdictional legal requirements. Option B is wrong because conducting a thorough legal review of the contract's data handling clauses, while important, assumes the contract is the primary risk control, but the contract clauses have not been tested and may not align with the new country's untested legal interpretations; this step is secondary to understanding the actual regulatory landscape. Option D is wrong because mapping data flows to ensure proper classification is a data governance activity that helps understand where data resides and moves, but it does not directly identify the legal risks of non-compliance with data localization laws; it is a supporting step, not the most critical for risk identification.

33
MCQeasy

Which risk identification technique relies on analyzing past incidents to predict future risks?

A.Brainstorming
B.Loss event data analysis
C.SWOT analysis
D.Delphi technique
AnswerB

Loss event data analysis uses historical incident data to predict future risks.

Why this answer

Loss event data analysis (B) is the correct risk identification technique because it systematically examines historical incident records, such as security logs, breach reports, and audit findings, to identify patterns and trends that can predict future risks. This empirical approach leverages past loss events to quantify likelihood and impact, making it distinct from generative or qualitative methods.

Exam trap

The trap here is that candidates confuse 'brainstorming' (a forward-looking ideation method) with data-driven analysis, failing to recognize that only loss event data analysis explicitly relies on historical incident records to predict future risks.

How to eliminate wrong answers

Option A is wrong because brainstorming is a creative, group-based technique that generates ideas without relying on historical data, focusing instead on hypothetical scenarios and expert intuition. Option C is wrong because SWOT analysis evaluates internal strengths/weaknesses and external opportunities/threats in a strategic context, not past incident records for risk prediction. Option D is wrong because the Delphi technique uses iterative anonymous surveys to achieve consensus among experts, not analysis of historical loss events.

34
MCQmedium

A business continuity manager wants to identify risks that could disrupt critical business processes. Which source of information would be MOST valuable for identifying such risks?

A.Organizational charts
B.Industry benchmarks on downtime
C.Business impact analysis (BIA) documentation
D.Historical incident reports
AnswerC

BIA identifies critical processes, dependencies, and recovery objectives.

Why this answer

The Business Impact Analysis (BIA) documentation is the most valuable source because it systematically identifies critical business processes, their dependencies (e.g., specific servers, databases, network links), and the maximum tolerable downtime (MTD) for each. This directly pinpoints which risks would cause unacceptable disruption, making it the foundational input for risk identification in continuity planning.

Exam trap

The trap here is that candidates often choose historical incident reports (D) thinking past failures are the best predictor, but CRISC emphasizes proactive identification of all risks—including those never experienced—which only a BIA can systematically uncover by analyzing process criticality and dependencies.

How to eliminate wrong answers

Option A is wrong because organizational charts show reporting structures and roles, not the technical dependencies or recovery time objectives (RTOs) of critical processes. Option B is wrong because industry benchmarks on downtime provide generic statistics (e.g., average cost per hour) but do not identify specific risks to an organization's unique processes or infrastructure. Option D is wrong because historical incident reports only capture past failures, missing emerging threats, single points of failure not yet realized, or risks that have never materialized.

35
MCQhard

A software development company uses a DevOps pipeline with automated code deployment. Recently, a developer accidentally pushed a configuration file containing database credentials to a public repository. The credentials were changed within an hour, but the file remained public for a few hours. The risk team is now identifying risks in the CI/CD process. The security team has proposed adding static code analysis to detect secrets in code. The development team objects, citing false positives. The risk manager must identify the most significant risk that could lead to a data breach. Which risk should be prioritized?

A.Insufficient training on secure coding practices for developers.
B.Over-reliance on manual code reviews which are error-prone.
C.Lack of pre-commit hooks or automated scanning to prevent secrets from being committed.
D.Inadequate incident response procedures for exposed credentials.
AnswerC

Prevention at commit is the most direct control.

Why this answer

Option C is correct because the root cause of the incident was the absence of automated, pre-commit scanning to detect secrets before they are pushed to a repository. Pre-commit hooks (e.g., using tools like git-secrets or Talisman) or server-side scanning (e.g., GitHub secret scanning) can block credentials from being committed in the first place, directly preventing exposure. Without this control, the CI/CD pipeline lacks a critical preventive layer, making data breaches more likely despite post-commit remediation.

Exam trap

The trap here is that candidates focus on the incident response or training aspects (options A and D) because they seem like common root causes, but the question specifically asks for the most significant risk that could lead to a data breach, which is the lack of a preventive control (pre-commit scanning) that directly stops secrets from entering the repository.

How to eliminate wrong answers

Option A is wrong because insufficient training on secure coding practices, while valuable, does not address the immediate technical gap that allowed the secret to be committed; training alone cannot prevent accidental pushes without automated enforcement. Option B is wrong because over-reliance on manual code reviews is a secondary concern; the incident occurred due to a lack of automated scanning, not because manual reviews were bypassed or failed. Option D is wrong because inadequate incident response procedures for exposed credentials are a reactive control; the most significant risk is the preventive failure that allowed the secret to be pushed, not the speed of response after exposure.

36
MCQhard

What is the most significant risk identified by this configuration?

A.Denial of service attack on the S3 bucket
B.Loss of encryption keys
C.Unauthorized access to sensitive data from the internet
D.Data exfiltration by internal users
AnswerC

The wildcard principal and lack of condition allow anyone to read objects, leading to data exposure.

Why this answer

The configuration exposes the S3 bucket to the internet without proper access controls, such as a bucket policy that restricts access to specific IP addresses or requires authentication. This means anyone on the internet can read or write objects in the bucket, leading to unauthorized access to sensitive data. The most significant risk is the direct exposure of confidential information to untrusted external actors.

Exam trap

The trap here is that candidates may focus on internal threats (Option D) or encryption key management (Option B) instead of recognizing that a public bucket policy directly enables external unauthorized access, which is the most immediate and severe risk.

How to eliminate wrong answers

Option A is wrong because a denial of service attack on the S3 bucket is possible but less significant than unauthorized data access; the configuration does not inherently make the bucket more vulnerable to DoS than any other public endpoint. Option B is wrong because loss of encryption keys is not directly related to the bucket's public accessibility; encryption keys are managed separately (e.g., via AWS KMS) and are not exposed by the bucket policy itself. Option D is wrong because data exfiltration by internal users is a valid risk but is not the most significant in this context; the configuration explicitly allows any internet user to access the data, making external unauthorized access the primary concern.

37
MCQeasy

Refer to the exhibit. Which risk is MOST directly identified?

A.Denial of service vulnerability
B.Malware propagation across subnets
C.Weak password policy
D.Unauthorized remote access to a critical server
AnswerD

Allowing RDP from a broad range increases unauthorized access risk.

Why this answer

The exhibit (not shown) likely depicts a network diagram or access control list (ACL) configuration that allows inbound traffic from the internet to a critical server on a restricted port (e.g., RDP on TCP 3389 or SSH on TCP 22). This directly identifies the risk of unauthorized remote access, as an attacker could exploit this exposed management interface to gain control of the server. The other options are not directly indicated by such a configuration.

Exam trap

The trap here is that candidates may misinterpret a network diagram or ACL as indicating a denial of service vulnerability (Option A) because they focus on the inbound traffic volume or source, rather than recognizing that the specific risk is the exposure of a management interface to unauthorized remote access.

How to eliminate wrong answers

Option A is wrong because a denial of service vulnerability typically involves resource exhaustion or protocol-level attacks (e.g., SYN flood, ICMP flood), which are not directly identified by an ACL permitting remote access to a server. Option B is wrong because malware propagation across subnets would require evidence of lateral movement paths, such as unrestricted inter-subnet firewall rules or open file-sharing ports, not a single inbound rule to a critical server. Option C is wrong because a weak password policy is a governance or configuration issue unrelated to network access controls; it would be identified through password audits or policy reviews, not by examining ACLs or network diagrams.

38
MCQhard

A financial institution is implementing a new real-time payment system that will process high-value transactions. To identify emerging risks, which method would be MOST effective during the development phase?

A.Embed automated security testing and threat modeling into the CI/CD pipeline
B.Wait for a post-implementation penetration test
C.Conduct a security review of the completed system before deployment
D.Develop a straw man architecture and perform a threat model
AnswerA

Continuous integration of security identifies risks early and often.

Why this answer

Embedding automated security testing and threat modeling into the CI/CD pipeline enables continuous risk identification as code is developed, which is critical for a real-time high-value payment system where vulnerabilities introduced early could lead to financial loss or fraud. This approach aligns with the CRISC focus on proactive risk identification during the development phase, rather than relying on later-stage reviews.

Exam trap

The trap here is that candidates often choose a later-stage review (like Option C) or a one-time threat model (Option D) because they underestimate the speed of risk emergence in agile development, but the CRISC exam emphasizes continuous risk identification during the development phase, making CI/CD integration the most effective method.

How to eliminate wrong answers

Option B is wrong because waiting for a post-implementation penetration test introduces a significant delay, allowing vulnerabilities to be baked into the production system and increasing remediation costs; it is reactive, not proactive. Option C is wrong because conducting a security review of the completed system before deployment is a point-in-time assessment that misses risks introduced during iterative development, and it does not provide continuous feedback. Option D is wrong because developing a straw man architecture and performing a threat model is a static, upfront activity that does not adapt to code changes or emerging risks during the development lifecycle, and it lacks the automation needed for a CI/CD environment.

39
MCQeasy

An IT risk manager is facilitating a workshop to identify risks for a new mobile banking application. Which technique is MOST appropriate for generating a comprehensive list of risks?

A.Review risk registers from similar projects
B.Perform a SWOT analysis
C.Conduct a brainstorming session with cross-functional team members
D.Distribute a risk questionnaire to project stakeholders
AnswerC

Brainstorming with diverse members yields broad risk identification.

Why this answer

Brainstorming with a cross-functional team (option C) is the most appropriate technique for generating a comprehensive list of risks for a new mobile banking application because it leverages diverse perspectives from development, security, compliance, and business units. This collaborative approach helps uncover unknown or emergent risks specific to the application's architecture, such as API vulnerabilities, session management flaws, or regulatory gaps, which might not be captured by historical data or structured questionnaires.

Exam trap

The trap here is that candidates often choose 'Review risk registers from similar projects' (option A) because it seems efficient and data-driven, but they overlook that historical registers may miss novel risks specific to the new application's technology, such as mobile-specific attack vectors or updated compliance requirements.

How to eliminate wrong answers

Option A is wrong because reviewing risk registers from similar projects relies on historical data that may not account for the unique technology stack, threat landscape, or regulatory requirements of a new mobile banking application, leading to blind spots for novel risks. Option B is wrong because a SWOT analysis focuses on strategic strengths, weaknesses, opportunities, and threats at a high level, but it lacks the depth and specificity needed to identify technical risks like insecure data storage, weak authentication, or third-party SDK vulnerabilities. Option D is wrong because distributing a risk questionnaire to project stakeholders is a passive, one-way method that often yields incomplete or biased responses, missing the interactive discussion needed to surface complex, interdependent risks in a mobile banking context.

40
MCQeasy

A retail company uses a legacy inventory system that is no longer supported by the vendor. The IT department is planning to migrate to a modern cloud-based system. During risk identification, which of the following should be considered a PRIMARY risk?

A.Inadequate training of staff on the new system.
B.Potential cost overrun due to migration complexity.
C.Loss of data integrity during the data migration process.
D.Failure to decommission the legacy system after migration.
AnswerC

Data integrity loss directly impacts business operations and is a core IT risk.

Why this answer

Loss of data integrity during migration is the primary risk because the legacy system is unsupported, meaning there are no vendor patches or tools to validate or repair data inconsistencies. Corrupted or incomplete data transferred to the cloud-based system can lead to inaccurate inventory records, financial losses, and operational disruptions that are difficult to reverse without vendor support.

Exam trap

The trap here is that candidates often confuse operational risks (like training or decommissioning) with primary IT risks that directly impact data confidentiality, integrity, or availability during the migration itself.

How to eliminate wrong answers

Option A is wrong because inadequate training is an operational risk that arises after migration, not a primary risk during the identification phase of the migration project itself. Option B is wrong because cost overrun is a financial risk, not a primary IT risk; it is a consequence of technical issues like data loss or migration failure, not a root risk to the system's integrity. Option D is wrong because failure to decommission the legacy system is a post-migration operational risk that does not directly threaten the success or security of the data migration process.

41
Multi-Selecteasy

A risk practitioner is identifying risks related to a new API gateway implementation. Which TWO of the following are MOST likely to be significant risks?

Select 2 answers
A.Insufficient logging of API requests.
B.Lack of scalability for peak loads.
C.Insecure direct object references (IDOR) allowing unauthorized data access.
D.Use of outdated programming language.
E.High licensing cost.
AnswersA, C

Logging is critical for detection and forensics; its absence is a risk.

Why this answer

Insufficient logging of API requests (A) is a significant risk because it impairs the ability to detect, investigate, and respond to security incidents such as unauthorized access, injection attacks, or data exfiltration. Without comprehensive logs, the organization cannot perform effective forensic analysis or meet compliance requirements (e.g., PCI DSS, SOX). In the context of an API gateway, which acts as the central entry point for all API traffic, missing logs create a blind spot for threat detection and incident response.

Exam trap

The trap here is that candidates often confuse operational risks (scalability, cost) with security risks, or they incorrectly assume that outdated programming languages are a direct risk to the API gateway itself, when in fact the gateway abstracts away language-specific vulnerabilities.

42
MCQmedium

During a risk assessment for a cloud migration project, the risk team identifies that the new SaaS application has not been tested for interoperability with existing identity management systems. The project manager argues that the integration will be straightforward and asks to remove this from the risk register. Which of the following is the BEST response from the risk practitioner?

A.Remove the risk as it is low priority.
B.Keep the risk in the register with a note that further assessment is needed.
C.Accept the risk but document the decision.
D.Escalate to the project steering committee.
AnswerB

Properly documents the risk until assessment clarifies.

Why this answer

Option C is correct because the risk should remain until proper assessment is done; removing it prematurely could lead to unaddressed issues. Option A is wrong because it is premature to remove without assessment. Option B is acceptable but not best without further evaluation.

Option D is escalation but not the first step.

43
MCQhard

An organization is evaluating threat intelligence feeds to improve IT risk identification. Which of the following criteria should be given the HIGHEST priority when selecting a feed?

A.Relevance to the organization's industry and technology stack
B.Ease of integration with existing security tools
C.The feed's update frequency
D.The number of indicators provided per day
AnswerA

Intelligence that is not relevant will lead to false positives and wasted resources.

Why this answer

Relevance to the organization's industry and technology stack is the highest priority because threat intelligence that does not align with the specific attack surface, software versions, and threat actors targeting that industry will generate excessive false positives and irrelevant alerts. For example, a healthcare organization using Epic EHR would prioritize feeds covering healthcare-specific ransomware (e.g., Ryuk) and medical device vulnerabilities over generic indicators, ensuring risk identification is actionable and contextually accurate.

Exam trap

The trap here is that candidates prioritize operational metrics like integration ease or update frequency over the strategic requirement of contextual relevance, confusing efficiency with effectiveness in risk identification.

How to eliminate wrong answers

Option B is wrong because ease of integration, while operationally convenient, does not address the core requirement of improving risk identification; a feed that integrates easily but provides irrelevant data will not reduce risk. Option C is wrong because update frequency alone is meaningless if the indicators are not relevant; a feed updated every 5 minutes with generic IPs from unrelated sectors adds noise and degrades detection fidelity. Option D is wrong because the number of indicators per day is a vanity metric; high volume often includes low-quality or outdated indicators (e.g., stale C2 IPs) that increase false positives without improving risk identification accuracy.

44
MCQeasy

A vulnerability scan of the internal network reveals a critical vulnerability in a legacy application that cannot be patched immediately. What is the FIRST step the risk practitioner should take?

A.Document the vulnerability and assess the associated risk in the risk register
B.Apply a virtual patch via an intrusion prevention system
C.Isolate the application from the network
D.Notify the application owner and request an emergency patch
AnswerA

Proper risk identification and documentation precede treatment decisions.

Why this answer

The first step is to document the vulnerability and assess the associated risk in the risk register because risk identification and assessment must precede any remediation decision. Without a formal risk assessment, the practitioner cannot determine whether compensating controls (like a virtual patch or isolation) are appropriate or whether the residual risk is acceptable to the business. This aligns with the CRISC framework's emphasis on risk-based decision-making before implementing technical controls.

Exam trap

The trap here is that candidates often jump to a technical control (like applying a virtual patch or isolating the application) because it seems immediate and effective, but the CRISC exam consistently tests that risk assessment and documentation must come first before any control implementation.

How to eliminate wrong answers

Option B is wrong because applying a virtual patch via an intrusion prevention system (IPS) is a compensating control that should only be selected after the risk has been assessed and documented; jumping to a technical fix without risk evaluation bypasses the risk management process. Option C is wrong because isolating the application from the network is a drastic technical control that may disrupt business operations and should be considered only after the risk assessment determines that the vulnerability's impact exceeds the organization's risk appetite. Option D is wrong because notifying the application owner and requesting an emergency patch is a reactive step that assumes a patch is feasible, but the scenario explicitly states the application cannot be patched immediately, making this action premature and potentially futile without first assessing the risk.

45
MCQeasy

A risk practitioner is facilitating a workshop to identify IT risks for a new product launch. Which technique BEST encourages participants to think about risks from different perspectives?

A.Using a structured framework such as STRIDE or OCTAVE.
B.Asking each participant to write risks individually.
C.Using a checklist of common IT risks.
D.Brainstorming without any predefined categories.
AnswerA

Structured frameworks guide thinking across risk categories.

Why this answer

A structured framework like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) or OCTAVE provides predefined threat categories that force participants to systematically consider risks from multiple angles—such as security, operational, and compliance perspectives—rather than relying on ad hoc thinking. This ensures comprehensive coverage of the attack surface for the new product launch, including often-overlooked areas like repudiation or elevation of privilege in cloud-based microservices.

Exam trap

ISACA often tests the misconception that unstructured brainstorming (Option D) is the most creative approach, but the trap is that without a framework, participants miss systematic threat categories and the workshop fails to identify risks like elevation of privilege or repudiation that require structured prompting.

How to eliminate wrong answers

Option B is wrong because asking each participant to write risks individually lacks the collaborative cross-pollination of ideas needed to surface diverse perspectives; it tends to produce siloed, homogeneous viewpoints based on each person's limited experience. Option C is wrong because a checklist of common IT risks is static and retrospective, focusing on known issues (e.g., SQL injection, misconfigured firewalls) and missing novel or product-specific threats that emerge from the unique architecture of the new launch. Option D is wrong because brainstorming without any predefined categories often leads to groupthink, anchoring on the loudest voice, and missing entire threat categories like denial-of-service or privilege escalation that require structured prompting.

46
MCQmedium

A multinational e-commerce company has experienced multiple security incidents involving unauthorized access to customer payment data. The incidents originated from different regional offices and exploited misconfigured firewall rules. The risk manager needs to identify the root cause of these risks. Which approach would BEST help in identifying the root cause of the IT risk?

A.Perform a root cause analysis on the firewall misconfigurations to determine underlying process weaknesses.
B.Implement additional logging on all firewall devices to capture configuration changes.
C.Conduct a penetration test targeting all regional office networks to identify vulnerabilities.
D.Update the risk register to include the incidents and assign risk owners.
AnswerA

Root cause analysis systematically identifies the fundamental reason for the misconfigurations, such as inadequate change management.

Why this answer

Option C is correct because conducting a root cause analysis on the firewall misconfigurations will identify the underlying weaknesses in the change management process. Option A is wrong because increasing logging without analysis does not identify root cause. Option B is wrong because a penetration test may find vulnerabilities but not the process failure.

Option D is wrong because updating the risk register is a result of identification, not a method to identify root cause.

47
MCQhard

Based on the firewall log exhibit, which of the following conclusions is MOST appropriate for risk identification?

A.External server 198.51.100.20 is attempting to exploit host 10.0.1.10
B.Host 10.0.1.15 is successfully communicating with external server 203.0.113.50
C.The firewall is functioning correctly with no security incidents
D.There is evidence of a potential reverse shell or malware beaconing from host 10.0.1.15
AnswerD

Denied outbound traffic from internal host to external IP on common malware ports indicates possible compromise.

Why this answer

Option D is correct because the firewall log shows an outbound connection from internal host 10.0.1.15 to external server 203.0.113.50 on a high ephemeral port (e.g., 4444), which is commonly associated with reverse shell payloads or malware command-and-control (C2) beaconing. This pattern indicates that the internal host may have been compromised and is establishing an outbound channel to an external attacker, bypassing typical inbound firewall rules. Such behavior is a critical risk indicator for IT risk identification, as it suggests active malicious activity within the network.

Exam trap

The trap here is that candidates focus on the source/destination IPs and assume any outbound connection is benign, overlooking the significance of the destination port (4444) as a common reverse shell indicator, which ISACA often uses to test understanding of outbound threat patterns versus simple inbound attack detection.

How to eliminate wrong answers

Option A is wrong because the log shows traffic from external server 198.51.100.20 to host 10.0.1.10 on port 80 (HTTP), which is typical web traffic and not indicative of an exploit unless accompanied by attack signatures or payload anomalies; the log alone does not confirm exploitation. Option B is wrong because while host 10.0.1.15 is indeed communicating with external server 203.0.113.50, the log shows a connection to a high port (4444) rather than a standard service port, making this communication suspicious rather than 'successful' in a benign sense. Option C is wrong because the presence of an outbound connection to a high, non-standard port from an internal host is a security incident indicator, contradicting the claim that the firewall is functioning correctly with no incidents.

48
MCQmedium

A new web application is being developed using several open-source libraries. Which risk identification method is most effective for identifying vulnerabilities in these libraries?

A.Static application security testing (SAST)
B.Software composition analysis (SCA)
C.Dynamic application security testing (DAST)
D.Manual code review
AnswerB

SCA scans dependencies and matches them against vulnerability databases, ideal for open-source risk identification.

Why this answer

Software Composition Analysis (SCA) is specifically designed to identify known vulnerabilities in open-source libraries by analyzing dependency manifests (e.g., pom.xml, package.json) and correlating them against vulnerability databases like the National Vulnerability Database (NVD). For a web application built with multiple open-source components, SCA automates the detection of outdated or vulnerable libraries, which is the most effective method for this risk identification scenario.

Exam trap

The trap here is that candidates confuse SAST (which finds code-level bugs) with SCA (which finds library vulnerabilities), assuming any security testing tool can identify open-source risks, but only SCA is designed to inventory and assess third-party components against known CVEs.

How to eliminate wrong answers

Option A is wrong because Static Application Security Testing (SAST) analyzes source code for security flaws in custom application logic (e.g., SQL injection, buffer overflows), but it does not scan or track third-party library dependencies or their known vulnerabilities. Option C is wrong because Dynamic Application Security Testing (DAST) tests the running application for runtime vulnerabilities (e.g., XSS, CSRF) by sending malicious payloads, but it cannot identify vulnerabilities embedded in library versions that are not actively exploited during the test. Option D is wrong because Manual code review, while thorough for custom code, is impractical for large open-source libraries and cannot efficiently cross-reference thousands of library versions against vulnerability databases like SCA does.

49
Multi-Selecteasy

A SIEM generates alerts for the following events. Which TWO events should be considered potential emerging risks? (Select exactly 2.)

Select 2 answers
A.Scheduled backup completed successfully
B.Software update installed on server
C.High number of failed authentication attempts from a single IP
D.Low disk space alert on a file server
E.Unusual increase in outbound traffic from a database server
AnswersC, E

Indicates a brute-force attack attempt.

Why this answer

A high number of failed authentication attempts from a single IP (C) is a classic indicator of a brute-force or password-spraying attack. This represents an emerging risk because it signals active reconnaissance or attempted unauthorized access, which could lead to account compromise or lateral movement if successful.

Exam trap

The trap here is that candidates confuse operational alerts (like low disk space or successful backups) with security risks, failing to recognize that emerging risks must involve active threat indicators such as reconnaissance or anomalous traffic patterns.

50
MCQhard

A risk manager discovers that a business unit has been using an unapproved software-as-a-service (SaaS) application for three months. The application stores customer PII. Which of the following risk identification techniques should the risk manager use to understand the full extent of the risk?

A.Run an automated data discovery tool across the network
B.Interview the business unit head about the application's use and data stored
C.Request an independent audit of the SaaS provider
D.Review network logs to identify data transfers to the SaaS provider
AnswerB

Interview provides context on what data is stored and why, critical for risk identification.

Why this answer

Option B is correct because interviewing the business unit head is the most direct and effective technique to understand the full extent of the risk. The risk manager needs to know the specific business processes, the types and volume of PII stored, the purpose of the application, and how data flows into and out of the SaaS application. Automated tools or logs can only provide technical evidence of usage, but they cannot capture the business context, data classification, or the actual data handling practices that define the risk's scope.

Exam trap

The trap here is that candidates often choose an automated or technical option (like A or D) because they seem objective and efficient, but the question specifically asks for a technique to 'understand the full extent of the risk,' which requires human insight into business context and data handling, not just technical detection.

How to eliminate wrong answers

Option A is wrong because running an automated data discovery tool across the network can identify the presence of the SaaS application and data transfers, but it cannot determine the business purpose, the exact PII fields stored, or the data handling procedures, which are essential for understanding the full risk extent. Option C is wrong because requesting an independent audit of the SaaS provider is a reactive and external step that assumes the provider will cooperate and that the risk manager already knows the scope of data shared; it does not help the risk manager initially understand the internal usage and data stored. Option D is wrong because reviewing network logs can show data transfers to the SaaS provider, but logs alone cannot reveal the specific PII content, the business justification, or the data lifecycle within the application, leaving significant gaps in risk understanding.

51
Multi-Selecthard

A company's IT risk team is conducting a risk identification exercise for a new blockchain-based supply chain solution. Which THREE risks are MOST specific to this technology?

Select 3 answers
A.51% attack on the underlying consensus mechanism.
B.Incompatibility with legacy database systems.
C.High electricity consumption of mining nodes.
D.Smart contract vulnerabilities leading to unintended execution.
E.Cryptographic key management failures.
AnswersA, D, E

Consensus attacks are specific to blockchain.

Why this answer

A 51% attack is a specific risk to blockchain consensus mechanisms where a single entity or group gains majority hashing power, allowing them to reverse transactions or prevent new blocks from being confirmed. This directly undermines the integrity and immutability that blockchain promises for the supply chain solution.

Exam trap

ISACA often tests the distinction between generic IT risks and technology-specific risks, so candidates mistakenly select 'high electricity consumption' without considering that many blockchain implementations (especially in enterprise supply chains) do not use energy-intensive proof-of-work.

52
Multi-Selecteasy

Which TWO of the following are primary sources of risk identification for IT projects? (Select exactly 2.)

Select 2 answers
A.Security baseline
B.Project documentation
C.Risk treatment plan
D.Firewall logs
E.Lessons learned from previous projects
AnswersB, E

Requirements, design, and architecture documents contain information to identify risks.

Why this answer

Project documentation (Option B) is a primary source of risk identification because it contains the project scope, schedule, requirements, and assumptions that directly reveal potential risks such as resource constraints or scope creep. Lessons learned from previous projects (Option E) provide empirical data on actual risks encountered, mitigation effectiveness, and failure patterns, making them a critical input for identifying risks in new IT projects. Both sources are explicitly cited in the CRISC Review Manual as foundational inputs for the risk identification process.

Exam trap

The trap here is that candidates confuse operational artifacts (like firewall logs or security baselines) with project-level risk identification sources, or mistakenly think the risk treatment plan is an input rather than an output of the risk identification process.

53
MCQmedium

A retail company recently deployed a point-of-sale (POS) system that processes credit card transactions. The system is connected to the corporate network and transmits transaction data to a payment processor over the internet. During a risk assessment, the IT risk manager identifies that the POS system is vulnerable to malware injection via unvalidated input from barcode scanners. Which of the following is the MOST appropriate risk mitigation strategy?

A.Encrypt all transaction data in transit using TLS 1.2.
B.Install a next-generation firewall at the internet boundary.
C.Implement network segmentation to isolate the POS system from the corporate network.
D.Deploy application-layer input validation and sanitization for barcode scanner inputs.
AnswerD

Input validation directly prevents injection attacks.

Why this answer

Option D is the most appropriate risk mitigation strategy because the vulnerability is specifically malware injection via unvalidated input from barcode scanners. Application-layer input validation and sanitization directly addresses the root cause by ensuring that only expected, safe data is processed by the POS system, preventing injection attacks at the point of entry.

Exam trap

The trap here is that candidates often choose network-level controls like firewalls or encryption, overlooking that the vulnerability originates from local input that never traverses the network boundary.

How to eliminate wrong answers

Option A is wrong because encrypting transaction data in transit with TLS 1.2 protects data confidentiality during transmission but does not prevent malware injection through barcode scanner input. Option B is wrong because a next-generation firewall at the internet boundary inspects traffic leaving or entering the network, but it cannot validate input from a local barcode scanner connected directly to the POS system. Option C is wrong because network segmentation isolates the POS system from the corporate network, which limits lateral movement but does not prevent the initial injection of malware via unvalidated barcode scanner input.

54
Matchingmedium

Match each control type to its example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Firewall blocking unauthorized traffic

Intrusion detection system alerts

Backup restoration after data loss

Security warning banners

Why these pairings

Controls are categorized by their function in risk treatment.

55
Multi-Selectmedium

Which TWO of the following are primary techniques for identifying IT risks in an organization? (Choose two.)

Select 2 answers
A.Vulnerability scanning
B.Business impact analysis (BIA)
C.Brainstorming workshops with process owners
D.Control self-assessments
E.Reviewing internal and external audit findings
AnswersC, E

A common qualitative risk identification technique.

Why this answer

Correct: A and C. Brainstorming workshops (A) and reviewing audit findings (C) are direct risk identification methods. Vulnerability scanning (B) identifies technical issues, not risk per se.

BIA (D) focuses on impact. Control testing (E) tests controls, not identify risks.

56
MCQeasy

A manufacturing company uses an industrial control system (ICS) that is connected to the corporate network for monitoring. The risk manager is identifying risks related to this connectivity. Which of the following is the MOST significant risk?

A.Compromise of ICS causing physical damage to manufacturing equipment.
B.Malware infection spreading from corporate to ICS network.
C.Network congestion due to ICS traffic affecting corporate users.
D.Unauthorized access to corporate data through the ICS connection.
AnswerA

Physical damage can lead to safety incidents, production loss, and high repair costs.

Why this answer

The most significant risk is that a compromise of the ICS could lead to physical damage, such as equipment destruction, safety hazards, or environmental release. Unlike IT systems where data loss is the primary concern, ICS failures directly impact the physical world, making safety and operational integrity the top priority in risk identification.

Exam trap

The trap here is that candidates often focus on the most common IT risk (data breach or malware) and overlook the unique ICS risk of physical damage, which is the defining characteristic of operational technology risk management.

How to eliminate wrong answers

Option B is wrong because while malware spreading from corporate to ICS is a real threat, it is a means to an end; the ultimate impact (physical damage) is more significant than the infection itself. Option C is wrong because network congestion is a performance issue, not a safety or integrity risk, and ICS traffic is typically low-bandwidth and predictable. Option D is wrong because unauthorized access to corporate data is a confidentiality risk, which is secondary to the safety and availability risks posed by ICS compromise.

57
MCQhard

A risk practitioner is analyzing the results of a phishing simulation. The simulation had a 15% click rate on a test email targeting finance department staff. Which of the following conclusions is MOST valid regarding IT risk identification?

A.The email filtering system is ineffective
B.There is an increased risk of successful targeted phishing attacks against finance staff
C.This is an effective red team exercise
D.The organization has a low risk of credential theft
AnswerB

Directly identifies a risk from human factors.

Why this answer

A 15% click rate on a targeted phishing simulation indicates that a significant portion of finance staff are susceptible to social engineering, which directly increases the risk of a successful targeted phishing attack. This finding is a key input for IT risk identification because it reveals a control weakness (user awareness) that could be exploited by attackers to gain unauthorized access or initiate fraudulent transactions. The click rate itself is a risk indicator, not a definitive measure of control effectiveness like email filtering.

Exam trap

The trap here is that candidates may confuse a user awareness test result with a direct assessment of technical controls like email filtering, when in fact the simulation is designed to bypass those controls to measure human risk.

How to eliminate wrong answers

Option A is wrong because a 15% click rate does not directly measure the effectiveness of the email filtering system; the simulation email was deliberately allowed through to test user behavior, so filtering bypass is irrelevant to this conclusion. Option C is wrong because the simulation is a test of user awareness, not a red team exercise; red team exercises involve broader adversarial simulation including multiple attack vectors, not just a single phishing email. Option D is wrong because a 15% click rate indicates a non-trivial risk of credential theft, as clicking a phishing link can lead to credential harvesting or malware installation, so the risk is not low.

58
Multi-Selecthard

Which THREE of the following are effective risk identification techniques for a cloud migration project? (Select exactly THREE.)

Select 3 answers
A.Vendor lock-in analysis
B.User acceptance testing (UAT)
C.Cloud security assessment
D.Data classification
E.Network scanning of on-premises infrastructure
AnswersA, C, D

Evaluates risks related to dependency on a single cloud provider, such as migration difficulty.

Why this answer

Vendor lock-in analysis is an effective risk identification technique for cloud migration because it evaluates the dependency on a specific cloud provider's proprietary services, APIs, or data formats. Identifying this risk early allows the organization to plan for portability, avoid costly migration barriers, and negotiate exit strategies. Without this analysis, the project may face unexpected costs or technical constraints when attempting to switch providers or return to on-premises infrastructure.

Exam trap

The trap here is confusing post-migration validation activities (UAT) or on-premises-focused scans with proactive risk identification techniques that are specifically designed to uncover cloud migration risks.

59
MCQeasy

A medium-sized e-commerce company recently experienced a denial-of-service (DoS) attack that took down its website for two hours. The incident response team quickly mitigated the attack by blocking the source IPs. In the aftermath, the risk manager is tasked with identifying risks to prevent recurrence. The company relies heavily on a single internet service provider (ISP) and has no DDoS protection service. The IT director suggests purchasing additional server capacity to absorb future attacks. The CEO is concerned about the cost. The risk team has identified that the likelihood of a similar attack is high based on recent industry trends, and the impact includes lost revenue and customer trust. What is the MOST effective risk identification action the risk team should take next?

A.Implement a web application firewall (WAF) to filter malicious traffic.
B.Recommend purchasing DDoS protection from a cloud-based provider.
C.Accept the risk because the cost of mitigation exceeds expected loss.
D.Document the risk and evaluate alternative mitigation options, including diversifying ISPs.
AnswerD

Proper documentation and evaluation are core to risk identification.

Why this answer

Option D is correct because the risk team's primary role during risk identification is to document the risk and evaluate alternative mitigation options before committing to a specific solution. Diversifying ISPs addresses the single point of failure in the network architecture, which is a root cause of the DoS vulnerability, and aligns with the principle of defense in depth. Simply blocking source IPs is reactive, and the IT director's suggestion of adding server capacity is a costly and potentially ineffective absorption strategy against volumetric attacks.

Exam trap

The trap here is that candidates confuse risk identification with risk treatment, selecting a specific solution (like a WAF or DDoS protection) instead of first documenting the risk and evaluating all possible options, which is the correct next step in the risk management process.

How to eliminate wrong answers

Option A is wrong because implementing a WAF is a control for application-layer attacks (e.g., SQL injection, XSS) and does not effectively mitigate volumetric or network-layer DoS attacks that saturate bandwidth. Option B is wrong because recommending a specific vendor solution (cloud-based DDoS protection) is a risk treatment decision, not a risk identification action; the risk team must first document and evaluate all options. Option C is wrong because accepting the risk is premature without first documenting the risk and evaluating alternative mitigations; the cost of mitigation may not exceed expected loss when considering reputational damage and customer trust, which are difficult to quantify.

60
MCQhard

Based on the exhibit, what risk is indicated by the IAM policy?

A.External auditor can access sensitive data from any location
B.Unrestricted public access to the S3 bucket
C.Bucket is configured to allow list operations
D.Data in transit is unencrypted
AnswerA

No IP restriction on the auditor's access.

Why this answer

Option B is correct. The second statement allows the external-auditor user to download objects from the corporate-data bucket without an IP restriction, meaning the auditor can access data from anywhere, not just the internal network. Option A is incorrect because the condition restricts the first statement, but the second lacks restrictions.

Option C is incorrect because there is no encryption requirement. Option D is incorrect because the policy allows GetObject, not list (ListBucket), so listing is not directly indicated, but risk is about access from anywhere.

61
Drag & Dropmedium

Order the steps for incident response handling.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Incident response follows preparation, detection, containment/eradication/recovery, lessons learned, and reporting.

62
MCQeasy

Which of the following is the PRIMARY purpose of a risk register?

A.To track the status of risk remediation actions
B.To document identified risks, their analysis, and planned responses
C.To provide real-time alerts for risk events
D.To satisfy regulatory compliance requirements
AnswerB

The risk register is the central repository for risk information.

Why this answer

The risk register is the central repository for documenting identified risks, their analysis (including likelihood and impact), and the planned responses. While it can be used to track remediation actions, its primary purpose is to serve as the authoritative record of risk information, enabling informed decision-making and ongoing risk management.

Exam trap

The trap here is that candidates confuse the risk register's primary purpose (documentation and analysis) with its secondary uses (tracking remediation or compliance), leading them to select a plausible but incorrect option like A or D.

How to eliminate wrong answers

Option A is wrong because tracking the status of risk remediation actions is a secondary function of the risk register, not its primary purpose; that tracking is often managed via action plans or issue logs. Option C is wrong because a risk register is a static or periodically updated document, not a real-time alerting system; real-time alerts are provided by monitoring tools, SIEMs, or automated risk dashboards. Option D is wrong because while a risk register may help satisfy regulatory compliance requirements, that is a beneficial outcome, not the primary purpose; the core purpose is to document and manage risks, not to meet compliance obligations.

63
MCQeasy

An organization is updating its asset inventory to improve IT risk identification. Which of the following asset attributes is MOST critical for assessing cybersecurity risk?

A.Criticality rating based on business impact
B.IP address and location
C.Asset owner contact information
D.Software vendor name
AnswerA

Directly feeds into risk calculation.

Why this answer

For assessing cybersecurity risk, the most critical attribute is the criticality rating based on business impact because it directly quantifies the potential harm from a security incident. Without knowing which assets are most vital to business operations, risk prioritization becomes arbitrary, leading to misallocated security controls. This aligns with the CRISC focus on risk-based decision-making, where impact drives the urgency of mitigation.

Exam trap

The trap here is that candidates often confuse operational attributes (like IP address or owner) with risk attributes, assuming that knowing where an asset is or who owns it is sufficient for risk assessment, when in fact business impact is the primary driver of risk prioritization.

How to eliminate wrong answers

Option B is wrong because IP address and location are operational attributes that help with network mapping and incident response, but they do not indicate the asset's importance or the severity of risk if compromised. Option C is wrong because asset owner contact information is useful for accountability and notification, but it does not influence the inherent risk level of the asset itself. Option D is wrong because the software vendor name alone provides no insight into the asset's business value or the specific vulnerabilities that could be exploited; it is merely a procurement detail.

64
MCQhard

A software development team is adopting Agile methodology and wants to integrate risk identification into their sprints. Which approach BEST aligns with Agile principles while ensuring effective risk identification?

A.Conduct a risk workshop at the start of the project only
B.Assign risk identification solely to the product owner
C.Perform an annual risk assessment
D.Incorporate a risk identification task in each sprint backlog and review risks during sprint retrospectives
AnswerD

Continuous risk identification fits Agile's iterative nature.

Why this answer

Option D is correct because Agile emphasizes iterative, continuous improvement, and integrating risk identification into each sprint backlog ensures risks are identified and addressed as the project evolves. Reviewing risks during sprint retrospectives aligns with the Agile principle of inspecting and adapting, making risk management a recurring, team-driven activity rather than a one-time event. This approach is effective because it captures risks that emerge from changing requirements, technical debt, or integration issues during development.

Exam trap

The trap here is that candidates may think risk identification is a one-time planning activity (Option A) or a single role's responsibility (Option B), but CRISC emphasizes that risk identification must be continuous and collaborative in Agile environments to be effective.

How to eliminate wrong answers

Option A is wrong because conducting a risk workshop only at the start of the project violates the Agile principle of continuous feedback and adaptation; risks that emerge later in development (e.g., from new dependencies or scope changes) would be missed. Option B is wrong because assigning risk identification solely to the product owner contradicts the Agile principle of cross-functional team ownership and collaboration; risk identification is a shared responsibility that benefits from diverse technical perspectives. Option C is wrong because performing an annual risk assessment is too infrequent for Agile sprints, which typically last 1-4 weeks; this approach would fail to identify rapidly emerging risks such as security vulnerabilities introduced by new code or third-party library updates.

65
MCQeasy

A SOC analyst observes repeated failed login attempts from an external IP address targeting a user account. What is the best next step in the IT risk identification process?

A.Block the IP address immediately
B.Conduct a vulnerability scan of the target system
C.Investigate if the IP address is associated with known malicious activity
D.Escalate to the incident response team
AnswerC

Checking the IP against threat intelligence helps identify whether this is a known attacker, informing risk assessment.

Why this answer

Option C is correct because the first step in the IT risk identification process is to validate whether the observed event represents a genuine threat. Investigating the external IP address against threat intelligence feeds (e.g., VirusTotal, AlienVault OTX) confirms if it is associated with known malicious activity, such as a botnet or brute-force campaign, before taking any action. This aligns with the CRISC risk identification phase, where the goal is to characterize the risk event, not immediately respond or escalate.

Exam trap

ISACA often tests the distinction between risk identification and risk response, trapping candidates who jump to blocking or escalation without first validating the threat through investigation.

How to eliminate wrong answers

Option A is wrong because immediately blocking the IP address is a reactive response that bypasses the risk identification process; the IP could be a legitimate user behind a NAT or a false positive from a misconfigured proxy, and blocking without investigation may disrupt business operations. Option B is wrong because conducting a vulnerability scan of the target system addresses system weaknesses, not the immediate event of failed login attempts; vulnerability scanning is part of risk assessment, not risk identification, and does not confirm if the IP is malicious. Option D is wrong because escalating to the incident response team is premature before confirming the IP is malicious; incident response is triggered after risk identification and validation, not as the first step.

66
MCQeasy

An organization is considering migrating its customer database to a public cloud provider. Which of the following is the PRIMARY risk identification technique that should be used to identify potential data exposure risks?

A.Vulnerability scanning
B.Threat modeling
C.Penetration testing
D.Business impact analysis
AnswerB

Threat modeling systematically identifies threats relevant to the cloud migration.

Why this answer

Threat modeling is the primary risk identification technique for proactively identifying potential data exposure risks during a cloud migration. It systematically analyzes the system architecture, data flows, and trust boundaries to uncover threats such as misconfigured access controls, insecure APIs, or data leakage between tenants. Unlike reactive techniques, threat modeling focuses on design-level vulnerabilities before they are exploited.

Exam trap

The trap here is that candidates confuse vulnerability scanning (a reactive, point-in-time check) with proactive risk identification, but threat modeling is the only technique that addresses design-level data exposure risks before migration.

How to eliminate wrong answers

Option A is wrong because vulnerability scanning identifies known software flaws (e.g., CVEs) in running systems but does not assess architectural risks like data exposure from shared cloud storage or improper IAM policies. Option C is wrong because penetration testing validates exploitability of existing vulnerabilities after deployment, not the proactive identification of data exposure risks during migration planning. Option D is wrong because business impact analysis prioritizes critical assets and recovery objectives, not the technical identification of data exposure threats.

67
MCQhard

You are the IT risk manager for a mid-sized e-commerce company. The company processes credit card payments and stores customer data. Recently, the company experienced a security incident where an attacker exploited a SQL injection vulnerability in the web application, exfiltrating a database of customer records. The vulnerability was introduced three months ago during a feature upgrade. The development team claims they followed secure coding guidelines, but the vulnerability was missed due to insufficient testing. The company's risk appetite is moderate, and they have a risk management policy that requires risks to be treated within 30 days of identification. The CISO wants to know the most effective way to reduce the likelihood of similar incidents. You have assessed that the current risk score for web application vulnerabilities is 16 (High). The company has a bug bounty program, but it has not been effective. Which of the following courses of action would BEST address the root cause and reduce the risk?

A.Increase the frequency of vulnerability scanning and patch management.
B.Deploy a web application firewall (WAF) to block SQL injection attempts.
C.Increase the reward amounts in the bug bounty program to attract more researchers.
D.Implement a secure software development lifecycle (SSDLC) with mandatory security training, code reviews, and automated security testing.
AnswerD

This addresses the root cause by preventing vulnerabilities from being introduced.

Why this answer

Option D is correct because the root cause of the incident is a failure in the development process: secure coding guidelines were followed but insufficient testing allowed a SQL injection vulnerability to be introduced. Implementing a Secure Software Development Lifecycle (SSDLC) with mandatory security training, code reviews, and automated security testing directly addresses this root cause by embedding security controls into every phase of development, preventing vulnerabilities from being introduced in the first place. This is the most effective way to reduce the likelihood of similar incidents, as it proactively fixes the process rather than relying on reactive measures.

Exam trap

The trap here is that candidates often choose a compensating control (like a WAF or vulnerability scanning) because it seems faster or more familiar, but the question asks for the BEST way to reduce likelihood by addressing the root cause, which requires a preventive, process-level change like SSDLC.

How to eliminate wrong answers

Option A is wrong because increasing vulnerability scanning and patch management is a reactive measure that detects vulnerabilities after deployment, not preventing them from being introduced during development; it does not address the root cause of insufficient testing in the SDLC. Option B is wrong because deploying a WAF is a compensating control that can block some SQL injection attempts, but it does not fix the underlying insecure coding practices and can be bypassed by sophisticated attackers or misconfigurations; it reduces impact but not likelihood. Option C is wrong because increasing bug bounty rewards may attract more researchers, but the program has already been ineffective, and relying on external researchers to find vulnerabilities after release is reactive and does not prevent the introduction of vulnerabilities during development.

68
MCQeasy

Refer to the exhibit. What is the most likely risk indicated by this error log?

A.Buffer overflow
B.SQL injection
C.Denial of service
D.Cross-site scripting
AnswerB

The error line contains a SQL injection payload (' OR 1=1 --), indicating an attempt to exploit a SQL injection vulnerability.

Why this answer

The error log shows a SQL query with a single quote (') in the input, which is a classic indicator of a SQL injection attempt. The query 'SELECT * FROM users WHERE username = 'admin' OR '1'='1'' is attempting to manipulate the SQL statement to bypass authentication or extract data. This directly corresponds to SQL injection (option B), as the attacker is injecting malicious SQL code through user input.

Exam trap

The trap here is that candidates may confuse SQL injection with cross-site scripting because both involve input manipulation, but the key distinction is the context: SQL injection targets the database layer via SQL queries, while XSS targets the browser via HTML/JavaScript rendering.

How to eliminate wrong answers

Option A (Buffer overflow) is wrong because the error log shows a SQL query, not a memory corruption or overflow of a buffer; buffer overflows typically involve stack or heap corruption from excessive input, not SQL syntax errors. Option C (Denial of service) is wrong because the log shows a single malformed query, not a flood of requests or resource exhaustion that would cause a denial of service; DoS attacks aim to overwhelm the system, not inject SQL. Option D (Cross-site scripting) is wrong because the input is being used in a SQL query, not rendered in a web page; XSS involves injecting client-side scripts (e.g., JavaScript) into a browser, not server-side SQL statements.

69
Multi-Selecthard

Which TWO risk identification techniques are most appropriate for identifying emerging risks from new technologies?

Select 2 answers
A.Scenario analysis
B.Historical incident review
C.Delphi technique
D.Peer benchmarking
E.Threat intelligence feeds
AnswersA, E

Scenario analysis explores potential future risks from new technologies.

Why this answer

Scenario analysis is correct because it involves constructing plausible future states to explore how new technologies might introduce unforeseen risks, making it ideal for emerging technologies where historical data is absent. Threat intelligence feeds are correct because they provide real-time, external data on vulnerabilities, exploits, and attack patterns targeting new technologies, enabling proactive risk identification.

Exam trap

The trap here is that candidates often choose historical incident review or peer benchmarking because they seem data-driven, but they fail to recognize that emerging technologies lack the historical data or peer maturity needed for these methods to be effective.

70
MCQeasy

An organization is implementing a new data loss prevention (DLP) solution. The risk manager is identifying potential risks related to the DLP solution itself. Which of the following is a risk that should be considered?

A.The DLP solution may generate a high volume of false positives, causing alert fatigue and missed real incidents.
B.The DLP solution will reduce the risk of data exfiltration.
C.The DLP solution will block all unauthorized data transfers.
D.The DLP solution will automatically encrypt sensitive data in transit.
AnswerA

False positives are a common risk with DLP implementations.

Why this answer

Option A is correct because a DLP solution may generate false positives, leading to alert fatigue and missed detections. Option B is a benefit, not a risk. Option C is a control.

Option D is a desired outcome.

71
MCQmedium

A company uses a DevOps approach with a continuous integration/continuous deployment (CI/CD) pipeline. Which risk identification technique is best suited for detecting code vulnerabilities early in the development lifecycle?

A.Quarterly penetration testing
B.Automated security scanning integrated into the pipeline
C.Threat modeling of system architecture
D.Manual code review
AnswerB

Automated scanning integrates seamlessly with CI/CD, providing immediate vulnerability detection.

Why this answer

Automated security scanning integrated into the CI/CD pipeline is best suited for detecting code vulnerabilities early because it runs continuously on every code commit, providing immediate feedback to developers. This aligns with the DevOps principle of shifting security left, catching issues like SQL injection or insecure dependencies before they reach production. Unlike periodic tests, this technique ensures vulnerabilities are identified at the moment of introduction, minimizing remediation cost and risk.

Exam trap

The trap here is that candidates may choose threat modeling (Option C) because it is a recognized risk identification technique, but they fail to recognize that it is not designed to detect code-level vulnerabilities early in the development lifecycle, which requires continuous, automated scanning within the pipeline.

How to eliminate wrong answers

Option A is wrong because quarterly penetration testing is a periodic, point-in-time assessment that occurs long after code is deployed, failing to detect vulnerabilities early in the development lifecycle. Option C is wrong because threat modeling of system architecture is a design-phase technique that identifies high-level threats and attack surfaces, not specific code-level vulnerabilities like buffer overflows or injection flaws. Option D is wrong because manual code review, while valuable, is slower, less consistent, and cannot scale to the frequency of commits in a CI/CD pipeline, making it impractical for early and continuous detection.

72
MCQeasy

A company is identifying risks associated with a new cloud-based CRM. Which of the following is the MOST effective method for identifying potential threats?

A.Threat modeling workshops with stakeholders
B.Reviewing industry standards only
C.Conducting penetration testing alone
D.Analyzing historical security incidents from similar organizations
AnswerA

Threat modeling workshops are systematic and collaborative, effectively identifying threats specific to the CRM.

Why this answer

Threat modeling workshops with stakeholders are the most effective method because they leverage diverse expertise to systematically identify threats specific to the cloud-based CRM architecture, including misconfigurations in IAM roles, API vulnerabilities, and data residency issues. This collaborative approach aligns with the CRISC focus on proactive risk identification by considering business context, technical constraints, and regulatory requirements early in the lifecycle.

Exam trap

The trap here is that candidates often choose penetration testing (Option C) because it is a familiar technical activity, but the question asks for the 'most effective method for identifying potential threats' in a new system, where proactive collaboration (threat modeling) outperforms reactive testing.

How to eliminate wrong answers

Option B is wrong because reviewing industry standards only provides a baseline of known controls but fails to capture organization-specific threats, such as custom CRM integrations or unique data flows. Option C is wrong because conducting penetration testing alone is a reactive, point-in-time validation that may miss logical threats (e.g., privilege escalation via business logic flaws) and does not involve stakeholder input for comprehensive threat enumeration. Option D is wrong because analyzing historical security incidents from similar organizations offers hindsight but cannot predict novel attack vectors or misconfigurations unique to the company's cloud deployment model (e.g., SaaS vs.

PaaS).

73
MCQeasy

A company uses a third-party SaaS application for payroll processing. What is the most important activity to identify IT risks associated with this service?

A.Conducting a vendor risk assessment
B.Performing penetration testing on the SaaS application
C.Reviewing the service-level agreement (SLA)
D.Implementing multi-factor authentication (MFA)
AnswerA

Vendor risk assessment systematically identifies and evaluates risks from third-party services.

Why this answer

A vendor risk assessment is the most important activity because it systematically evaluates the third-party SaaS provider's security controls, compliance posture, and operational resilience before and during service use. For a payroll SaaS, this includes reviewing data protection measures for sensitive employee PII, understanding the provider's SOC 2 Type II report, and assessing their incident response capabilities. Without this assessment, the organization cannot identify inherent risks like unauthorized data access, service downtime, or regulatory non-compliance specific to the third-party environment.

Exam trap

The trap here is that candidates confuse risk identification activities (like vendor assessments) with risk mitigation controls (like MFA) or contractual reviews (like SLAs), leading them to select a control or document review instead of the foundational assessment needed to uncover risks.

How to eliminate wrong answers

Option B is wrong because penetration testing on the SaaS application is typically prohibited by the provider's terms of service and would require explicit contractual permission; it is a technical control validation step, not a risk identification activity. Option C is wrong because reviewing the SLA identifies contractual remedies and uptime guarantees but does not uncover underlying security vulnerabilities, data handling practices, or third-party dependencies that constitute IT risks. Option D is wrong because implementing MFA is a risk mitigation control, not a risk identification activity; it reduces the likelihood of unauthorized access but does not help identify what risks exist in the first place.

74
MCQhard

An organization has recently suffered a ransomware attack that encrypted critical files. During the post-incident review, the risk team is identifying key risk indicators (KRIs) to improve early detection. Which of the following KRIs would be MOST effective in detecting similar attacks in the future?

A.Frequency of antivirus signature updates.
B.Number of unauthorized remote access attempts.
C.Percentage of employees who completed security awareness training.
D.Time to patch critical vulnerabilities.
AnswerB

Direct indicator of possible ransomware entry.

Why this answer

Option A is correct because unauthorized remote access attempts are a direct indicator of potential ransomware vectors. Option B is important but not the most direct for detection. Option C is preventive, not detective.

Option D is corrective.

75
Multi-Selecteasy

Which THREE of the following are indicators of potential IT risk in an organization? (Select exactly THREE.)

Select 3 answers
A.Strong password policy
B.Regular patching cycles
C.High employee turnover in IT
D.Frequent changes to firewall rules
E.Increasing number of help desk tickets
AnswersC, D, E

Leads to loss of institutional knowledge and potential operational gaps.

Why this answer

High employee turnover in IT is a risk indicator because it can lead to loss of institutional knowledge, inconsistent security practices, and increased likelihood of misconfigurations or unpatched systems. When experienced staff leave, remaining or new employees may lack the context to properly manage firewall rules, access controls, or incident response, creating vulnerabilities.

Exam trap

The trap here is confusing risk indicators (conditions that signal potential risk) with risk controls (actions that reduce risk), leading candidates to select strong password policies or patching cycles as risk indicators instead of recognizing them as mitigations.

Page 1 of 2 · 124 questions totalNext →

Ready to test yourself?

Try a timed practice session using only It Risk Identification questions.