Certified in Risk and Information Systems Control (CRISC) — Question 830

Which of the following is the BEST way to address a board's concern about the organization's cybersecurity posture?

Answer options

• A. Update security risk scenarios
• B. Create a new security risk officer role
• C. Assess security capabilities against an industry framework
• D. Contract with a third party to perform vulnerability testing

Correct answer: D

Explanation

The correct answer, D, is effective because contracting a third party for vulnerability testing provides an unbiased assessment of security weaknesses. Other options, while beneficial, do not directly address the board's immediate concerns about actual vulnerabilities and threats to the organization's cybersecurity.