Certified in Risk and Information Systems Control (CRISC) — Question 378

What should a risk practitioner do FIRST when a shadow IT application is identified in a business owner's business impact analysis (BIA)?

Answer options

• A. Include the application in the business continuity plan (BCP).
• B. Report the finding to management.
• C. Segregate the application from the network.
• D. Determine the business purpose of the application.

Correct answer: D

Explanation

The correct answer is D because understanding the business purpose of the shadow IT application is essential to evaluate its impact and necessity. Reporting to management (B), including it in the BCP (A), or segregating it from the network (C) may be necessary later, but they should follow after determining its business relevance.