Certified in Risk and Information Systems Control (CRISC) — Question 1302

An organization has been made aware of a newly discovered critical vulnerability in a regulatory reporting system. Which of the following is the risk practitioner's BEST course of action?

Answer options

• A. Perform an impact assessment.
• B. Perform a penetration test.
• C. Request an external audit.
• D. Escalate the risk to senior management.

Correct answer: A

Explanation

The best initial action is to perform an impact assessment to understand the severity and potential consequences of the vulnerability. While a penetration test can identify exploitable vulnerabilities, it is more appropriate after assessing the impact. Requesting an external audit and escalating the risk to senior management are important but should follow the impact assessment to inform those discussions.