CRISC · Question #534
CRISC Question #534: Real Exam Question with Answer & Explanation
The correct answer is B: Conduct a risk analysis.. To provide senior management with information about new application risks, the initial step is to conduct a risk analysis to identify, assess, and understand potential threats and vulnerabilities.
Question
Senior management has requested more information regarding the risk associated with introducing a new application into the environment. Which of the following should be done FIRST?
Options
- APerform an audit.
- BConduct a risk analysis.
- CDevelop risk scenarios.
- DPerform a cost-benefit analysis.
Explanation
To provide senior management with information about new application risks, the initial step is to conduct a risk analysis to identify, assess, and understand potential threats and vulnerabilities.
Common mistakes.
- A. An audit typically assesses compliance or the effectiveness of existing controls against established standards, which is a post-implementation or mature-state activity, not the first step for understanding new risks.
- C. Developing risk scenarios is part of a broader risk analysis or assessment, but the overarching first step is to conduct the full analysis to identify and quantify the risks first.
- D. A cost-benefit analysis might be performed after a risk analysis to evaluate potential mitigation strategies, but it doesn't provide the initial risk information requested by management.
Concept tested. New application risk assessment
Reference. https://learn.microsoft.com/en-us/azure/architecture/framework/security/identify-risks
Topics
Community Discussion
No community discussion yet for this question.