Certified in Risk and Information Systems Control (CRISC) — Question 749

A peer review of a risk assessment finds that a relevant threat community was not included. Mitigation of the risk will require substantial changes to a software application. Which of the following is the BEST course of action?

Answer options

• A. Ask the business to make a budget request to remediate the problem.
• B. Research the types of attacks the threat can present.
• C. Determine the impact of the missing threat.
• D. Build a business case to remediate the fix.

Correct answer: C

Explanation

The correct answer is C because understanding the impact of the missing threat is essential before taking further actions. Options A and D involve financial considerations that come after assessing the situation, while B, although informative, does not directly address the immediate need to evaluate the impact of the oversight.