The correct answer is C because after a post-mortem review of a new zero-day exploit, the risk team should update the risk events / risk scenarios so future assessments and monitoring reflect this newly observed threat pattern and attack path. A post-incident review should strengthen the organization’s risk knowledge base and ensure similar events are represented in scenario development, assessment, and monitoring.
The other options are less appropriate as the next risk-team action:
A. Revise the risk appetite is too high-level and would not normally change because of one exploit.
B. File a claim against the organization ' s cyber insurance policy may be handled separately, but it is not the main risk management follow-up from the review.
D. Notify customers affected by the attack may be necessary operationally or legally, but the question asks what the risk team should do next as a result of the post-mortem review.
Exact Extracts supporting the answer:
“After a security incident the first step toward yielding an actionable plan that effectively mitigates the risk is root cause analysis.”
“The BEST way to verify that critical production servers are using up-to-date antivirus signature files is to Check a sample of servers.”
“The BEST way for an incident response team to identify the source of a malware attack to reduce the likelihood of recurrence is through Root cause analysis.”
“Risk scenarios enable the risk assessment process because they help estimate the frequency and impact of risk.”
“An emerging risk should be added to the risk register by the risk practitioner when the activity that triggers the risk initiates.”
These extracts support that once a new exploit pattern is identified, the organization should incorporate it into future risk analysis through updated risk events or scenarios.
===========
QUESTION NO: 116 [Risk Response and Mitigation]
Which of the following is the MOST effective way to help ensure a risk treatment plan remains on track?
A. Assigning sufficient resources to implement the plan
B. Requiring approval by the second line of defense
C. Adopting an Agile project management approach
D. Documenting risk treatment procedures for relevant stakeholders
Answer: A
The correct answer is A because a risk treatment plan is most likely to remain on track when sufficient resources are assigned to implement it. Even a well-designed treatment plan will fail if there are not enough people, budget, time, or technical capability to execute the required actions.
The other options are less effective:
B. Requiring approval by the second line of defense may provide oversight, but it does not keep execution on track.
C. Adopting an Agile project management approach may help delivery in some cases, but it is not the primary factor.
D. Documenting risk treatment procedures for relevant stakeholders is useful, but documentation alone does not ensure execution.
Exact Extracts supporting the answer:
“The most important information to include in a risk treatment plan that already has an appropriate resolution and a date for completion is responsible personnel.”
“The greatest benefit of implementing a risk treatment plan is to reduce the impact and likelihood of risk occurrence.”
“Risk treatment plans are necessary to describe how the chosen treatment options will be implemented.”
“In the event that available resources for risk treatment are not sufficient the risk treatment plan should define the priorities across all treatments to assist in resource allocation.”
“A risk treatment plan should primarily specify the responsibility for implementing the chosen risk treatment.”
These extracts support that implementation success depends heavily on responsibility and resource allocation. Therefore, the most effective way to keep the plan on track is assigning sufficient resources .
===========
QUESTION NO: 117 [Risk Response and Mitigation]
In the context of business continuity management, which of the following does the maximum allowable downtime represent?
A. The maximum time required to recover all critical systems to full operational capacity after a disaster
B. The maximum data loss an organization can tolerate during a disaster
C. The maximum length of time that a business can be disrupted before significant harm occurs
D. The maximum time required to initiate the disaster recovery plan (DRP)
Answer: C
The correct answer is C because maximum allowable downtime refers to the longest period a business process can remain unavailable before unacceptable damage occurs to the organization. It is a business-driven continuity threshold tied to process criticality and disruption impact.
The other options are incorrect:
A. The maximum time required to recover all critical systems to full operational capacity after a disaster is closer to a recovery objective, not maximum allowable downtime.
B. The maximum data loss an organization can tolerate during a disaster describes recovery point objective (RPO), not downtime.
D. The maximum time required to initiate the disaster recovery plan (DRP) is not what maximum allowable downtime means.
Exact Extracts supporting the answer:
“A business impact analysis is primarily used to evaluate the impact of disruption on an enterprise’s ability to operate over time.”
“The objective of a business impact analysis is best described as the identification of time-sensitive critical business functions and interdependencies.”
“The main outcome of a business impact analysis (BIA) is the criticality of business processes.”
“The most useful process in developing a series of recovery time objectives is business impact analysis.”
These extracts support that continuity downtime thresholds are defined by business impact and process criticality. Therefore, the correct answer is C , not D.
===========
QUESTION NO: 118 [Risk Response and Mitigation]
Which of the following is MOST important to consider when developing mitigation measures for a risk treatment plan?
A. Risk register ratings
B. Control implementation plan
C. Supplier capabilities
D. Cost-benefit analysis
Answer: D
The correct answer is D because the most important consideration when developing mitigation measures for a risk treatment plan is cost-benefit analysis . In CRISC, mitigation options should be selected based on whether the expected reduction in risk justifies the cost of implementing and operating the control or response.
The other options are less important as the primary consideration:
A. Risk register ratings are useful inputs, but they do not by themselves determine which mitigation is appropriate.
B. Control implementation plan comes after deciding what mitigation is justified.
C. Supplier capabilities may matter in some situations, but not as the main decision factor across treatment planning.
Exact Extracts supporting the answer:
“To best help finalize the risk treatment plan a cost-benefit analysis should be used.”
“The best help for an enterprise to select an appropriate risk response is an analysis of control costs and benefits.”
“The cost of mitigating a risk should not exceed the expected benefit to be derived.”
“The most important activity in determining the risk mitigation strategy is performing a cost-benefit analysis related to risk acceptance.”
“The MAIN reason a cost-benefit analysis in risk response planning is performed is to identify the right controls to address risks at acceptable levels within the budget.”
These extracts directly support that cost-benefit analysis is the most important consideration when developing mitigation measures for a risk treatment plan.
