CRISC · Question #215
CRISC Question #215: Real Exam Question with Answer & Explanation
The correct answer is B: Assess the potential impact and cost of mitigation. Before recommending a risk response for an unsupported legacy system, the risk practitioner must first assess the potential impact of the risk and the associated costs of various mitigation options.
Question
An internal audit report reveals that a legacy system is no longer supported Which of the following is the risk practitioner's MOST important action before recommending a risk response'
Options
- AReview historical application down me and frequency
- BAssess the potential impact and cost of mitigation
- Cidentify other legacy systems within the organization
- DExplore the feasibility of replacing the legacy system
Explanation
Before recommending a risk response for an unsupported legacy system, the risk practitioner must first assess the potential impact of the risk and the associated costs of various mitigation options.
Common mistakes.
- A. Reviewing historical downtime is useful but does not directly quantify the potential impact of future risks specific to an unsupported system or the costs of its mitigation.
- C. Identifying other legacy systems is a broader inventory task, which does not directly address the immediate and specific risk presented by this unsupported system.
- D. Exploring replacement feasibility is a potential risk response, but this action should logically follow a thorough assessment of impact and mitigation costs to determine if replacement is the optimal path.
Concept tested. Risk assessment before response
Reference. https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
Topics
Community Discussion
No community discussion yet for this question.