Isaca Updated CRISC Exam Questions and Answers by macsen

The correct answer isBbecausered team exercisesare the best method to identify weaknesses in the technical environment that an attacker could exploit to gain access. A red team exercise simulates realistic attacker behavior and therefore provides a direct and practical way to discover exploitable security weaknesses across systems, defenses, and operational response capabilities.

The other options are not as effective:

A. Threat modelingis useful for identifying possible attack paths and design weaknesses, but it is more analytical than practical.

C. System testingis broad and may not focus specifically on adversarial exploitation.

D. Control self-assessments (CSAs)rely on internal review and are less effective for uncovering attacker-leveraged technical weaknesses.

Exact Extracts supporting the answer:

“To detect vulnerabilities in Internet-facing systems penetration testing is primarily used as it simulates real attacker actions to test security defenses.”

“For a system owner penetration testing offers the greatest level of assurance regarding the effectiveness of implemented security controls.”

“For an Internet-facing application penetration testing is the most effective control assessment type.”

“The BEST way to ensure a corporate network ' s security against external attacks is to perform periodic penetration testing.”

“After various infrastructure changes are made is the best time to perform a penetration test as changes are likely to introduce new exposures.”

These extracts support the principle that simulated attacker activity is the strongest way to identify technical weaknesses exploitable by attackers. Among the given choices,red team exercisesare the closest and best match to that objective.

===========

 The most important outcome of a business impact analysis (BIA) is understanding and prioritization of critical processes. A BIA is a process that identifies and evaluates the potential effects of disruptions or disasters on the organization’s business functions and processes. A BIA helps to understand the dependencies, interrelationships, and impacts of the business processes, and to prioritize them based on their importance and urgency. A BIA also helps to determine the recovery objectives, strategies, and resources for the business processes, such as the recovery time objective (RTO), the recovery point objective (RPO), and the minimum operating requirements (MOR). The other options are not as important as understanding and prioritization of critical processes, although they may be part of or derived from the BIA. Completion of thebusiness continuity plan (BCP), identification of regulatory consequences, and reduction of security and business continuity threats are all activities or outcomes that can be supported or facilitated by the BIA, but they are not the primary purpose or result of the BIA. References = CISA Review Manual, 27th Edition, Chapter 5, Section 5.2.1, page 5-9.

 Risk culture is the system of values and behaviors present in an organization that shapes risk decisions of management and employees1. Risk culture influences how the organization perceives, responds to, and manages the risks that may affect its objectives, operations, or assets2.

The scenario described in the question best demonstrates an organization’s risk culture, because it shows how the management team’s attitude and actions towards risk are driven by the organization’s values and goals. In this case, the organization’s risk culture is characterized by:

A high risk appetite and tolerance, which means that the organization is willing to take and accept significant risks in order to achieve its strategic objectives of launching a new product and penetrating new markets

A low risk awareness and sensitivity, which means that the organization does not pay enough attention or consideration to the potential IT risk factors, threats, and vulnerabilities that may affect its product development and market entry

A weak risk governance and control, which means that the organization does not have adequate or effective policies, procedures, or mechanisms to identify, assess, respond, or monitor the IT risks and their impacts

References = Risk Culture of Companies | ERM - Enterprise Risk Management Initiative …, Taking control of organizational risk culture | McKinsey

 A risk treatment plan is a document that describes the actions and resources required to implement the chosen risk response for a specific risk scenario. A risk response can be to accept, avoid, transfer, or mitigate the risk. The effectiveness of a risk treatment plan can be measured by how well it reduces the risk exposure and achieves the desired outcomes. The best evidence that a selected risk treatment plan is effective is to evaluate the residual risk level, which is the remaining risk after the risk treatment plan has been implemented. The residual risk level should be within the organization’s risk appetite and tolerance, and should reflect the actual risk reduction and value creation of the risk treatment plan. Evaluating the residual risk level can also help to identify any gaps or issues that need to be addressed, and to monitor and report on the risk performance and improvement. References = Risk and Information Systems Control Study Manual, Chapter 3, Section 3.2.2, p. 108-109