nerdexam
CompTIA

CAS-003 · Question #484

A Chief Information Security Officer (CISO) recently changed jobs into a new industry. The CISO's first task is to write a new, relevant risk assessment for the organization. Which of the following he

The correct answer is C. Hire a third-party consultant. E. Review the existing BIA.. A CISO new to an industry has two critical gaps: knowledge of industry-specific threats and regulations, and understanding of what matters most to this particular organization. Hiring a third-party consultant (C) with domain expertise fills the industry-knowledge gap-consultants

Risk Management

Question

A Chief Information Security Officer (CISO) recently changed jobs into a new industry. The CISO's first task is to write a new, relevant risk assessment for the organization. Which of the following help to the CISO find relevant risks to the organization? (Choose two.)

Options

  • APerform a penetration test.
  • BConduct a regulatory audit.
  • CHire a third-party consultant.
  • DDefine the threat model.
  • EReview the existing BIA.
  • FPerform an attack path analysis.

How the community answered

(42 responses)
  • A
    5% (2)
  • B
    2% (1)
  • C
    74% (31)
  • D
    14% (6)
  • F
    5% (2)

Explanation

A CISO new to an industry has two critical gaps: knowledge of industry-specific threats and regulations, and understanding of what matters most to this particular organization. Hiring a third-party consultant (C) with domain expertise fills the industry-knowledge gap-consultants bring experience with threats, compliance requirements, and common risk patterns specific to that vertical. Reviewing the existing Business Impact Analysis (E) fills the organizational-knowledge gap-the BIA documents which processes and assets are most critical to the business and the potential impact of disruptions, directly informing what risks matter most. A penetration test (A) reveals technical vulnerabilities but not strategic business risks. A regulatory audit (B) addresses compliance gaps, a subset of risk. Defining the threat model (D) is valuable but requires prior organizational understanding. Attack path analysis (F) is a tactical security exercise, not a strategic risk-finding activity.

Topics

#risk assessment#threat modeling#BIA#third-party consultant

Community Discussion

No community discussion yet for this question.

Full CAS-003 Practice