Certified in Risk and Information Systems Control (CRISC) — Question 802

Which of the following should be determined FIRST when a new security vulnerability is made public?

Answer options

• A. How pervasive the vulnerability is within the organization
• B. Whether the affected technology is Internet-facing
• C. Whether the affected technology is used within the organization
• D. What mitigating controls are currently in place

Correct answer: C

Explanation

The correct answer is C because understanding whether the affected technology is in use within the organization is crucial for assessing risk. Options A and B are secondary considerations that come after identifying usage, while option D focuses on existing controls rather than the immediate assessment of the technology's presence.