Certified in Risk and Information Systems Control (CRISC) — Question 524

A risk assessment has identified concerns about vulnerabilities associated with an Internet-facing application. Which of the following is the risk practitioner's BEST recommendation?

Answer options

• A. Review the configurations.
• B. Verify the access controls.
• C. Perform a penetration test.
• D. Determine compensating controls.

Correct answer: C

Explanation

The correct answer is C, as performing a penetration test directly assesses the application's security by simulating attacks, which can reveal vulnerabilities. Options A and B focus on preventive measures rather than actively identifying vulnerabilities, while option D relates to alternative controls rather than directly addressing the identified risks.