CRISC IT Risk Identification 2

Question 1

What role does a risk owner play in the IT risk identification process?

Accepted Answer

Accountable for managing a specific risk and ensuring appropriate responses are taken

Answer

Responsible only for documenting risks in the register

Answer

In charge of conducting penetration tests

Answer

Oversees the IT budget allocation

Question 2

Which of the following is an example of an internal threat source?

Accepted Answer

A disgruntled employee with access to sensitive systems

Answer

A nation-state hacking group

Answer

A natural disaster such as a flood

Answer

A third-party vendor malware campaign

Question 3

What is the difference between a vulnerability and a threat in IT risk identification?

Accepted Answer

A vulnerability is a weakness that can be exploited; a threat is a potential event that could exploit it

Answer

A threat is a weakness; a vulnerability is the probability of exploitation

Answer

Both terms are interchangeable in CRISC

Answer

A vulnerability is always human-caused; a threat is always technical

Question 4

Which CRISC concept refers to the combination of likelihood and impact of a risk?

Accepted Answer

Risk level

Answer

Risk appetite

Answer

Control objective

Answer

Residual risk

Question 5

What is the purpose of a threat landscape analysis in CRISC risk identification?

Accepted Answer

To understand current and emerging threats relevant to the organization's industry and environment

Answer

To design technical controls for known vulnerabilities

Answer

To create a disaster recovery plan

Answer

To audit user access privileges

Question 6

Which document typically provides the foundational framework for IT risk identification activities?

Accepted Answer

IT risk management policy

Answer

Acceptable use policy

Answer

Software development lifecycle (SDLC) guide

Answer

Incident response playbook