CRISC Risk Response and Mitigation Strategies 2

Question 1

Which element MUST be included in a risk response plan to ensure accountability?

Accepted Answer

Named owner responsible for implementing the response

Answer

A list of all organizational IT assets

Answer

The risk assessment methodology used

Answer

A history of past security incidents

Question 2

Which statement BEST describes the difference between a preventive and a detective control?

Accepted Answer

Preventive controls stop incidents before they occur; detective controls identify incidents after they begin

Answer

Preventive controls are manual; detective controls are automated

Answer

Preventive controls reduce impact; detective controls reduce likelihood

Answer

Preventive controls are more expensive than detective controls

Question 3

When a risk cannot be fully mitigated, the BEST course of action is to:

Accepted Answer

Formally accept the residual risk with senior management approval

Answer

Escalate immediately to external regulators

Answer

Implement additional controls regardless of cost

Answer

Document the risk and take no further action

Question 4

A corrective control is MOST effective for:

Accepted Answer

Minimizing damage and restoring normal operations after a risk event

Answer

Preventing unauthorized access before it occurs

Answer

Detecting policy violations in real time

Answer

Transferring risk liability to a third party

Question 5

Which approach to risk mitigation involves redesigning a business process to eliminate a risk entirely?

Accepted Answer

Risk avoidance through process redesign

Answer

Risk transfer through outsourcing

Answer

Risk acceptance with monitoring

Answer

Risk sharing with business partners

Question 6

The PRIMARY purpose of a risk treatment plan is to:

Accepted Answer

Document agreed responses to specific risks with timelines and owners

Answer

Provide technical specifications for security tool deployment

Answer

List all risks identified in the annual risk assessment

Answer

Define the organization's risk appetite and tolerance levels