Certified in Risk and Information Systems Control (CRISC) — Question 1098

Management has determined that it will take significant time to remediate exposures in the current IT control environment. Which of the following is the BEST course of action?

Answer options

• A. Reassess the risk periodically.
• B. Improve project management methodology.
• C. Implement control monitoring.
• D. Identify compensating controls.

Correct answer: D

Explanation

Identifying compensating controls is the best course of action because it allows the organization to mitigate risks while the remediation is in progress. The other options, while useful, do not directly address the immediate need to manage existing risks during the remediation period.