CRISC Exam Question 171
During a routine check, a system administrator identifies unusual activity indicating an intruder within a firewall. Which of the following controls has MOST likely been compromised?
Correct Answer: C
Authentication is a control that verifies the identity of a user or a system that tries to access a computer system or network. Authentication can be based on something the user or system knows (such as a password or a PIN), something the user or system has (such as a token or a smart card), or something the user or system is (such as a fingerprint or a retina scan). Authentication is a crucial control for preventing unauthorized or malicious access to a system or network, as well as for ensuring the accountability and traceability of the actions performed by the user or system. If the authentication control is compromised, it means that the user or system can bypass or break the verification process and gain access to the system or network without being identified or authorized. This can expose the system or network to various threats, such as data theft, data corruption, data leakage, or denial of service. Therefore, the authentication control has most likely been compromised if a system administrator identifies unusual activity indicating an intruder within a firewall. A firewall is a device or a software that monitors and filters the incoming and outgoing network traffic based on predefined rules and policies. A firewall can help to protect the system or network from external or internal attacks by blocking or allowing the traffic based on the source, destination, protocol, or content. However, a firewall cannot prevent an intruder from accessing the system or network if the intruder has already authenticated or impersonated a legitimate user or system. The other options are not the most likely controls to be compromised if a system administrator identifies unusual activity indicating an intruder within a firewall, although they may be affected or related. Data validation is a control that checks the accuracy, completeness, and quality of the data that is entered, processed, or stored by a system or a network. Data validation can help to prevent or detect data errors, anomalies, or inconsistencies that may affect the performance, functionality, or reliability of the system or network. However, data validation does not prevent or detect unauthorized or malicious access to the system or network, as it only focuses on the data, not the user or system. Identification is a control that assigns a unique identifier to a user or a system that tries to access a computer system or network. Identification can be based on a username, an email address, a phone number, or a certificate. Identification is a necessary but not sufficient control for preventing unauthorized or malicious access to a system or network, as it only declares who or what the user or system is, but does not prove it. Identification needs to be combined with authentication to verify the identity of the user or system.
Data integrity is a control that ensures that the data is accurate, consistent, and complete throughout its lifecycle. Data integrity can be achieved by implementing various controls, such as encryption, hashing, checksum, digital signature, or backup. Data integrity can help to protect the data from unauthorized or accidental modification, deletion, or corruption that may affect the value, meaning, or usability of the data. However, data integrity does not prevent or detect unauthorized or malicious access to the system or network, as it only protects the data, not the user or system. References = CRISC Review Manual, pages 164-
1651; CRISC Review Questions, Answers & Explanations Manual, page 952; What is Authentication? - Definition from Techopedia3; What is a Firewall? - Definition from Techopedia4
Data integrity is a control that ensures that the data is accurate, consistent, and complete throughout its lifecycle. Data integrity can be achieved by implementing various controls, such as encryption, hashing, checksum, digital signature, or backup. Data integrity can help to protect the data from unauthorized or accidental modification, deletion, or corruption that may affect the value, meaning, or usability of the data. However, data integrity does not prevent or detect unauthorized or malicious access to the system or network, as it only protects the data, not the user or system. References = CRISC Review Manual, pages 164-
1651; CRISC Review Questions, Answers & Explanations Manual, page 952; What is Authentication? - Definition from Techopedia3; What is a Firewall? - Definition from Techopedia4
CRISC Exam Question 172
The MOST important reason to monitor key risk indicators (KRIs) is to help management:
Correct Answer: B
Key risk indicators (KRIs) are metrics used by organizations to monitor and assess potential risks that may impact their objectives and performance. KRIs also provide early warning signals that help organizations identify, analyze, and address risks before they escalate into significant issues1. The most importantreason to monitor KRIs is to help management lessen the impact of realized risk, which is the actual or expected negative consequence of a risk event2. By monitoring KRIs, management can gain insight into the current and emerging risk exposures and trends, and evaluate their alignment with the organization's risk appetite and tolerance3. This enables management to make informed and timely decisions and actions to mitigate or eliminate the risks, and to allocate resources and prioritize efforts where they are most needed. By lessening the impact of realized risk, management can also protect and enhance the organization's reputation, performance, and value. Identifying early risk transfer strategies, analyzing the chain of risk events, and identifying the root cause of risk events are not the most important reasons to monitor KRIs, as they do not provide the same level of benefit and value as lessening the impact of realized risk. Identifying early risk transfer strategies is a process that involves finding and implementing ways to shift or share the risk or its impact to another party, such as through insurance, outsourcing, or hedging4. Identifying early risk transfer strategies can help to reduce the organization's risk exposure and liability, but it does not necessarily lessen the impact of realized risk, as the risk or its impact may still occur or affect the organization indirectly. Analyzing the chain of risk events is a process that involves tracing and understanding the sequence and interconnection of the risk events that lead to a specific outcome or consequence5. Analyzing the chain of risk events can help to identify and address the root causes and contributing factors of the risk events, but it does not necessarily lessen the impact of realized risk, as the outcome or consequence may have already occurred or be unavoidable. Identifying the root cause of risk events is a process that involves finding and determining the underlying or fundamental source or reason of the risk events. Identifying the root cause of risk events can help to prevent or correct the recurrence or escalation of the risk events, but it does not necessarily lessen the impact of realized risk, as the impact may have already happened or be irreversible. References = 1: Key Risk Indicators: A Practical Guide | SafetyCulture2: Risk Impact - an overview | ScienceDirect Topics3: KRI Framework for Operational Risk Management | Workiva4: Risk Transfer - an overview | ScienceDirect Topics5: EventChainMethodology - Wikipedia : [Root Cause Analysis
- an overview | ScienceDirect Topics] : [Risk and Information Systems Control Study Manual, Chapter 4:
Risk and Control Monitoring and Reporting, Section 4.1: Key Risk Indicators, pp. 181-185.]
- an overview | ScienceDirect Topics] : [Risk and Information Systems Control Study Manual, Chapter 4:
Risk and Control Monitoring and Reporting, Section 4.1: Key Risk Indicators, pp. 181-185.]
CRISC Exam Question 173
Which of the following is the PRIMARY purpose of analyzing control effectiveness during risk analysis?
Correct Answer: D
During risk analysis, CRISC distinguishes between inherent risk (without controls) and residual or current risk (with controls). Analyzingcontrol effectiveness-both in design and operation-is central to determining thecurrent risk level. Effective controls reduce either the likelihood of occurrence, the impact, or both. The assessment of their strength, coverage, and reliability allows the practitioner to adjust the initial inherent risk estimate down to a realistic residual risk figure and compare this to appetite and tolerance. Cost-benefit analysis of controls is a later step in risk response decision-making. Impact evaluation depends more on the nature of assets and processes than on controls. Likelihood is influenced by controls, but the primary purpose of control effectiveness analysis is to calculate the updated (residual) risk level, not just likelihood independently.
Reference:CRISC Review Manual - Risk Assessment (control analysis and inherent vs residual risk).
Reference:CRISC Review Manual - Risk Assessment (control analysis and inherent vs residual risk).
CRISC Exam Question 174
Which of the following BEST facilitates the identification of emerging risk?
Correct Answer: A
Performing scenario-based assessments is a proactive approach that allows organizations to anticipate potential future events and assess their impact. This method helps in identifying emerging risks by exploring hypothetical situations and their possible outcomes. It enables organizations to prepare for unforeseen events by understanding how different scenarios could affect their operations and objectives.
Reference:ISACA CRISC Review Manual, 7th Edition, Chapter 2: IT Risk Assessment, Section: Risk Identification Techniques.
Reference:ISACA CRISC Review Manual, 7th Edition, Chapter 2: IT Risk Assessment, Section: Risk Identification Techniques.
CRISC Exam Question 175
Which of the following is the BEST approach for an organization in a heavily regulated industry to comprehensively test application functionality?
Correct Answer: D
Using anonymized data in a non-production environment is the best approach for an organization in a heavily regulated industry to comprehensively test application functionality. Anonymized data is data that has been stripped of any personally identifiable information (PII) or other sensitive data, such as names, addresses, phone numbers, email addresses, etc. Anonymized data protects the privacy and security of the data, while still preserving the structure and format of the original data. Using anonymized data in a non-production environment allows the organization to test the application functionality without risking data breaches or violating regulations. Using production data, masked data, or test data in either production or non-production environments are not as optimal as using anonymized data, because they may introduce errors, inconsistencies, or vulnerabilities in the data or the application. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.3.1, page 3-21.
- Other Version
- 1708ISACA.CRISC.v2026-03-31.q857
- 2054ISACA.CRISC.v2026-01-15.q649
- 4977ISACA.CRISC.v2025-09-26.q726
- 4183ISACA.CRISC.v2025-08-27.q675
- 6036ISACA.CRISC.v2025-01-04.q999
- 3003ISACA.CRISC.v2024-06-13.q683
- 4262ISACA.CRISC.v2024-04-02.q999
- 4147ISACA.CRISC.v2023-07-10.q544
- 6732ISACA.CRISC.v2022-05-25.q338
- 76ISACA.Actual4dump.CRISC.v2022-04-12.by.newman.349q.pdf
- 6363ISACA.CRISC.v2022-02-22.q349
- 6622ISACA.CRISC.v2021-10-27.q295
- 42ISACA.Updatedumps.CRISC.v2021-09-05.by.bonnie.114q.pdf
- Latest Upload
- 168Microsoft.AZ-900.v2026-07-16.q224
- 109Microsoft.AB-730.v2026-07-16.q19
- 131Google.Professional-Cloud-DevOps-Engineer.v2026-07-16.q92
- 136ACFE.CFE-Investigation.v2026-07-16.q87
- 192CompTIA.SY0-701.v2026-07-15.q325
- 560ISACA.CRISC.v2026-07-15.q907
- 228NISM.NISM-Series-VII.v2026-07-14.q164
- 211PECB.ISO-IEC-27001-Lead-Implementer.v2026-07-14.q147
- 173API.API-510.v2026-07-13.q47
- 347Microsoft.AZ-400.v2026-07-13.q294
[×]
Download PDF File
Enter your email address to download ISACA.CRISC.v2026-07-15.q907 Practice Test
