CAS-003 · Question #484
A Chief Information Security Officer (CISO) recently changed jobs into a new industry. The CISO's first task is to write a new, relevant risk assessment for the organization. Which of the following he
The correct answer is C. Hire a third-party consultant. E. Review the existing BIA.. A CISO new to an industry has two critical gaps: knowledge of industry-specific threats and regulations, and understanding of what matters most to this particular organization. Hiring a third-party consultant (C) with domain expertise fills the industry-knowledge gap-consultants
Question
A Chief Information Security Officer (CISO) recently changed jobs into a new industry. The CISO's first task is to write a new, relevant risk assessment for the organization. Which of the following help to the CISO find relevant risks to the organization? (Choose two.)
Options
- APerform a penetration test.
- BConduct a regulatory audit.
- CHire a third-party consultant.
- DDefine the threat model.
- EReview the existing BIA.
- FPerform an attack path analysis.
How the community answered
(42 responses)- A5% (2)
- B2% (1)
- C74% (31)
- D14% (6)
- F5% (2)
Explanation
A CISO new to an industry has two critical gaps: knowledge of industry-specific threats and regulations, and understanding of what matters most to this particular organization. Hiring a third-party consultant (C) with domain expertise fills the industry-knowledge gap-consultants bring experience with threats, compliance requirements, and common risk patterns specific to that vertical. Reviewing the existing Business Impact Analysis (E) fills the organizational-knowledge gap-the BIA documents which processes and assets are most critical to the business and the potential impact of disruptions, directly informing what risks matter most. A penetration test (A) reveals technical vulnerabilities but not strategic business risks. A regulatory audit (B) addresses compliance gaps, a subset of risk. Defining the threat model (D) is valuable but requires prior organizational understanding. Attack path analysis (F) is a tactical security exercise, not a strategic risk-finding activity.
Topics
Community Discussion
No community discussion yet for this question.