Certified in Risk and Information Systems Control (CRISC) — Question 906

A risk assessment has determined that an organization is highly susceptible to a vulnerability in its IT infrastructure. Which of the following is MOST important to communicate to the board?

Answer options

• A. Open source intelligence reports on successful attacks
• B. Impact to the organization if the vulnerability is exploited
• C. Results of the most recent penetration test
• D. Results of a root cause analysis of the vulnerability

Correct answer: B

Explanation

The correct answer, B, highlights the potential impact on the organization, which is crucial for the board to understand the severity of the risk. While option A provides context about attacks, it does not convey the specific risk to the organization. Option C gives insight into testing outcomes, and option D focuses on the cause rather than the implications of the vulnerability itself.