CRISC Exam Question 301
Which of the following should be implemented to BEST mitigate the risk associated with infrastructure updates?
Correct Answer: C
The best way to mitigate the risk associated with infrastructure updates is to implement a change control process. A change control process is a set of procedures that ensures that any changes to the infrastructure are planned, approved, tested, implemented, and documented in a consistent and controlled manner. A change control process helps to reduce the risk of errors, conflicts, disruptions, or security breaches that could result from infrastructure updates. A change controlprocess also helps to monitor and evaluate the impact and effectiveness of the changes, and to ensure that they align with the enterprise's objectives and requirements. References = Risk and Information Systems Control Study Manual, 7th Edition, Chapter 3, Section 3.3.1, page 1391
CRISC Exam Question 302
Which of the following is the MOST important reason for a risk practitioner to identify stakeholders for each IT risk scenario?
Correct Answer: C
Identifying stakeholders ensures that all perspectives are considered, contributing to a holistic view of risk and improving communication and response planning.
Reference:CRISC Manual - Domain 1: Governance, Slide 405-408
Reference:CRISC Manual - Domain 1: Governance, Slide 405-408
CRISC Exam Question 303
During implementation of an intrusion detection system (IDS) to monitor network traffic, a high number of alerts is reported. The risk practitioner should recommend to:
Correct Answer: C
An intrusion detection system (IDS) is a network security tool that monitors network traffic and devices for known malicious activity, suspicious activity or security policy violations1. An IDS can generate alerts when it detects any potential threats, but not all alerts are accurate or relevant. There are two types of errors that can affect the performance and reliability of an IDS: false positives and false negatives2.
A false positive is when an IDS incorrectly flags a benign or normal activity as malicious or suspicious. For example, an IDS may alert on a legitimate network scan or a harmless software update. False positives can reduce the credibility and efficiency of an IDS, as they can overwhelm the security team with unnecessary alerts, distract them from the real threats, and cause them to ignore or disable the IDS3.
A false negative is when an IDS fails to flag a malicious or suspicious activity as such. For example, an IDS may miss a stealthy or novel attack that does not match any known signatures or patterns. False negatives can compromise the security and integrity of the network, as they can allow attackers to bypass the IDS and cause damage or steal data without being detected4.
The risk practitioner should recommend to analyze the alerts to minimize the false positives, because this is the best way to improve the accuracy and usefulness of the IDS. By analyzing the alerts, the risk practitioner can:
Identify the sources and causes of the false positives, such as misconfigured or outdated IDS rules, network anomalies, or legitimate traffic that resembles malicious traffic5.
Adjust or fine-tune the IDS settings, such as the alert threshold, the sensitivity level, the detection method, or the rule base, to reduce the number of false positives without increasing the risk of false negatives.
Validate or verify the alerts with other sources of information, such as logs, network traffic analysis, or threat intelligence, to confirm or dismiss the alerts as true or false positives.
Prioritize or classify the alerts based on their severity, impact, or likelihood, to focus on the most critical or relevant alerts and avoid alert fatigue.
The other options are not the best course of action, because:
Resetting the alert threshold based on peak traffic is not a reliable or effective way to minimize the false positives, as it may also increase the risk of false negatives. The alert threshold is the level of activity or deviation that triggers an alert from the IDS. If the threshold is set too high, the IDS may miss some malicious or suspicious activity that occurs below the threshold. If the threshold is set too low, the IDS may generate too many alerts for normal or benign activity that exceeds the threshold. The optimal threshold depends on various factors, such as the network size, topology, traffic volume, and baseline. Peak traffic is not a good indicator of the optimal threshold, as it may vary depending on the time, day, or season, and it may not reflect the normal or expected network behavior.
Analyzing the traffic to minimize the false negatives is not the main issue or goal in this scenario, as the problem is the high number of alerts, not the low number of alerts. Analyzing thetraffic can help to identify the malicious or suspicious activity that the IDS may have missed, but it does not address the root cause of the false positives or improve the IDS performance. Moreover, analyzing the traffic can be time-consuming and resource-intensive, especially for large or complex networks, and it may require specialized tools or skills that the risk practitioner may not have.
Sniffing the traffic using a network analyzer is not a suitable or feasible option in this scenario, as it may violate the privacy or security policies of the network or the organization. Sniffing the traffic means capturing and inspecting the network packets that are transmitted or received by the devices on the network. A network analyzer is a tool that can perform this function and display the packet data in a readable format. However, sniffing the traffic can also expose sensitive or confidential information, such as passwords, usernames, or credit card numbers, that may be contained in the packets. Therefore, sniffing the traffic may require authorization or consent from the network owners or users, and it may be restricted or prohibited by law or regulation.
References =
What is an intrusion detection system (IDS)? - IBM
Intrusion detection system - Wikipedia
What Are Intrusion Detection Systems? - MUO
12 Best Intrusion Detection System (IDS) Software 2024 - Comparitech
What is an Intrusion Detection System (IDS)? - Fortinet
[False Positive and False Negative in Intrusion Detection System]
[False Positives and False Negatives in Intrusion Detection Systems]
[How to Reduce False Positives for Your IDS/IPS]
[How to Set the Right Alert Thresholds for Your IDS/IPS]
[Network Traffic Analysis: What It Is and How It Works]
[What is a Network Analyzer? - Definition from Techopedia]
A false positive is when an IDS incorrectly flags a benign or normal activity as malicious or suspicious. For example, an IDS may alert on a legitimate network scan or a harmless software update. False positives can reduce the credibility and efficiency of an IDS, as they can overwhelm the security team with unnecessary alerts, distract them from the real threats, and cause them to ignore or disable the IDS3.
A false negative is when an IDS fails to flag a malicious or suspicious activity as such. For example, an IDS may miss a stealthy or novel attack that does not match any known signatures or patterns. False negatives can compromise the security and integrity of the network, as they can allow attackers to bypass the IDS and cause damage or steal data without being detected4.
The risk practitioner should recommend to analyze the alerts to minimize the false positives, because this is the best way to improve the accuracy and usefulness of the IDS. By analyzing the alerts, the risk practitioner can:
Identify the sources and causes of the false positives, such as misconfigured or outdated IDS rules, network anomalies, or legitimate traffic that resembles malicious traffic5.
Adjust or fine-tune the IDS settings, such as the alert threshold, the sensitivity level, the detection method, or the rule base, to reduce the number of false positives without increasing the risk of false negatives.
Validate or verify the alerts with other sources of information, such as logs, network traffic analysis, or threat intelligence, to confirm or dismiss the alerts as true or false positives.
Prioritize or classify the alerts based on their severity, impact, or likelihood, to focus on the most critical or relevant alerts and avoid alert fatigue.
The other options are not the best course of action, because:
Resetting the alert threshold based on peak traffic is not a reliable or effective way to minimize the false positives, as it may also increase the risk of false negatives. The alert threshold is the level of activity or deviation that triggers an alert from the IDS. If the threshold is set too high, the IDS may miss some malicious or suspicious activity that occurs below the threshold. If the threshold is set too low, the IDS may generate too many alerts for normal or benign activity that exceeds the threshold. The optimal threshold depends on various factors, such as the network size, topology, traffic volume, and baseline. Peak traffic is not a good indicator of the optimal threshold, as it may vary depending on the time, day, or season, and it may not reflect the normal or expected network behavior.
Analyzing the traffic to minimize the false negatives is not the main issue or goal in this scenario, as the problem is the high number of alerts, not the low number of alerts. Analyzing thetraffic can help to identify the malicious or suspicious activity that the IDS may have missed, but it does not address the root cause of the false positives or improve the IDS performance. Moreover, analyzing the traffic can be time-consuming and resource-intensive, especially for large or complex networks, and it may require specialized tools or skills that the risk practitioner may not have.
Sniffing the traffic using a network analyzer is not a suitable or feasible option in this scenario, as it may violate the privacy or security policies of the network or the organization. Sniffing the traffic means capturing and inspecting the network packets that are transmitted or received by the devices on the network. A network analyzer is a tool that can perform this function and display the packet data in a readable format. However, sniffing the traffic can also expose sensitive or confidential information, such as passwords, usernames, or credit card numbers, that may be contained in the packets. Therefore, sniffing the traffic may require authorization or consent from the network owners or users, and it may be restricted or prohibited by law or regulation.
References =
What is an intrusion detection system (IDS)? - IBM
Intrusion detection system - Wikipedia
What Are Intrusion Detection Systems? - MUO
12 Best Intrusion Detection System (IDS) Software 2024 - Comparitech
What is an Intrusion Detection System (IDS)? - Fortinet
[False Positive and False Negative in Intrusion Detection System]
[False Positives and False Negatives in Intrusion Detection Systems]
[How to Reduce False Positives for Your IDS/IPS]
[How to Set the Right Alert Thresholds for Your IDS/IPS]
[Network Traffic Analysis: What It Is and How It Works]
[What is a Network Analyzer? - Definition from Techopedia]
CRISC Exam Question 304
Which of the following is the MOST important consideration when selecting either a qualitative or quantitative risk analysis?
Correct Answer: C
The most important consideration when selecting either a qualitative or quantitative risk analysis is the time available for risk analysis, as this affects the level of detail and accuracy that can be achieved in the risk assessment process. Qualitative risk analysis is a method that uses subjective judgments and ratings to measure and prioritize the risks based on their likelihood and impact, as well as other factors such as urgency, velocity, and persistence. Qualitative risk analysis is usually faster and simpler than quantitative risk analysis, but it may also be less precise and consistent. Quantitative risk analysis is a method that uses numerical data and mathematical models to measure and prioritize the risks based on theirprobability and magnitude, as well as other factors such as frequency, duration, and correlation. Quantitative risk analysis is usually more complex and time-consuming than qualitative risk analysis, but it may also provide more objective and reliable results. The other options are not the most important considerations when selecting either a qualitative or quantitative risk analysis, although they may have some influence or relevance. Expertise in both methodologies is desirable, but it does not determine the choice of the risk analysis method, as it depends on the availability and suitability of the experts for the specific risk context and objectives. Maturity of the risk management program is important, but it does not dictate the choice of the risk analysis method, as it depends on the level of integration and alignment of the risk management activities with the enterprise's strategy and goals. Resources available for data analysis are relevant, but they do not decide the choice of the risk analysis method, as they depend on the quality and availability of the data sources and tools for the risk assessment process. References = Risk and Information Systems Control Study Manual, Chapter 3: IT Risk Assessment, page 81.ST
CRISC Exam Question 305
Which of the following is the PRIMARY accountability for a control owner?
Correct Answer: C
The primary accountability for a control owner is to ensure the control operates effectively, as they have the authority and responsibility to design, implement, monitor, and report on the performance and adequacy of the control, and to identify and address any control gaps or deficiencies. Communicating risk to senior management, owning the associated risk the control is mitigating, and identifying and assessing control weaknesses are not the primary accountabilities, as they are more related to the roles and responsibilities of the risk owner, the risk practitioner, or the auditor, respectively, rather than the control owner. References = CRISC Review Manual, 7th Edition, page 101.
- Other Version
- 1713ISACA.CRISC.v2026-03-31.q857
- 2076ISACA.CRISC.v2026-01-15.q649
- 4990ISACA.CRISC.v2025-09-26.q726
- 4202ISACA.CRISC.v2025-08-27.q675
- 6051ISACA.CRISC.v2025-01-04.q999
- 3010ISACA.CRISC.v2024-06-13.q683
- 4270ISACA.CRISC.v2024-04-02.q999
- 4151ISACA.CRISC.v2023-07-10.q544
- 6740ISACA.CRISC.v2022-05-25.q338
- 76ISACA.Actual4dump.CRISC.v2022-04-12.by.newman.349q.pdf
- 6367ISACA.CRISC.v2022-02-22.q349
- 6626ISACA.CRISC.v2021-10-27.q295
- 42ISACA.Updatedumps.CRISC.v2021-09-05.by.bonnie.114q.pdf
- Latest Upload
- 228Microsoft.AZ-900.v2026-07-16.q224
- 123Microsoft.AB-730.v2026-07-16.q19
- 169Google.Professional-Cloud-DevOps-Engineer.v2026-07-16.q92
- 176ACFE.CFE-Investigation.v2026-07-16.q87
- 195CompTIA.SY0-701.v2026-07-15.q325
- 602ISACA.CRISC.v2026-07-15.q907
- 246NISM.NISM-Series-VII.v2026-07-14.q164
- 220PECB.ISO-IEC-27001-Lead-Implementer.v2026-07-14.q147
- 177API.API-510.v2026-07-13.q47
- 360Microsoft.AZ-400.v2026-07-13.q294
[×]
Download PDF File
Enter your email address to download ISACA.CRISC.v2026-07-15.q907 Practice Test
