CRISC · Question #323
CRISC Question #323: Real Exam Question with Answer & Explanation
The correct answer is D: Prepare a risk response that is aligned to the organization's risk tolerance.. After a risk assessment identifies validated vulnerabilities, the immediate next step is for the application owner to formulate a plan to address those risks, aligning with organizational risk tolerance.
Question
A risk assessment has been completed on an application and reported to the application owner. The report includes validated vulnerability findings that require mitigation. Which of the following should be the NEXT step?
Options
- AReport the findings to executive management to enable treatment decisions.
- BReassess each vulnerability to evaluate the risk profile of the application.
- CConduct a penetration test to determine how to mitigate the vulnerabilities.
- DPrepare a risk response that is aligned to the organization's risk tolerance.
Explanation
After a risk assessment identifies validated vulnerabilities, the immediate next step is for the application owner to formulate a plan to address those risks, aligning with organizational risk tolerance.
Common mistakes.
- A. Reporting findings to executive management typically occurs after risk responses have been considered or when specific decisions require executive approval, not immediately after the initial assessment.
- B. Reassessing each vulnerability is redundant since the findings are already validated; the focus shifts to treatment rather than re-evaluation.
- C. Conducting a penetration test is an assessment activity to identify vulnerabilities, not a mitigation step after vulnerabilities have already been identified and validated.
Concept tested. Risk response planning
Reference. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
Topics
Community Discussion
No community discussion yet for this question.