Certified in Risk and Information Systems Control (CRISC) — Question 189

Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?

Answer options

• A. Redundant compensating controls are in place.
• B. Asset custodians are responsible for defining controls instead of asset owners.
• C. A high number of approved exceptions exist with compensating controls.
• D. Successive assessments have the same recurring vulnerabilities.

Correct answer: D

Explanation

The correct answer is D because recurring vulnerabilities indicate a failure in the existing controls to mitigate risks effectively, which is a major concern. Options A, B, and C, while important, do not directly indicate the effectiveness of the controls over time like option D does.