Certified in Risk and Information Systems Control (CRISC) — Question 561

A penetration test reveals several vulnerabilities in a web-facing application. Which of the following should be the FIRST step in selecting a risk response?

Answer options

• A. Assess the level of risk associated with the vulnerabilities.
• B. Communicate the vulnerabilities to the risk owner.
• C. Correct the vulnerabilities to mitigate potential risk exposure.
• D. Develop a risk response action plan with key stakeholders.

Correct answer: B

Explanation

The correct first step is to communicate the vulnerabilities to the risk owner, as they need to be aware of the risks to make informed decisions. Assessing the risk level, correcting the vulnerabilities, and developing a risk response plan are important but should follow after notifying the risk owner.