CompTIA SecurityX (CAS-005) — Question 170

A Chief Information Security Officer requests an action plan to remediate vulnerabilities. A security analyst reviews the output from a recent vulnerability scan and notices hundreds of unique vulnerabilities. The output includes the CVSS score, IP address, hostname, and the list of vulnerabilities. The analyst determines more information is needed in order to decide which vulnerabilities should be fixed immediately. Which of the following is the best source for this information?

Answer options

• A. Third-party risk review
• B. Business impact analysis
• C. Incident response playbook
• D. Crisis management plan

Correct answer: B

Explanation

The Business impact analysis (B) provides insights into how vulnerabilities affect business operations, helping prioritize remediation based on potential impact. The other options, while important for security and risk management, do not specifically address the immediate need for assessing the business consequences of the identified vulnerabilities.