Certified in Risk and Information Systems Control (CRISC) — Question 919

An organization has decided to implement a new Internet of Things (IoT) solution. Which of the following should be done FIRST when addressing security concerns associated with this new technology?

Answer options

• A. Engage external security reviews.
• B. Implement IoT device monitoring software.
• C. Develop new IoT risk scenarios.
• D. Introduce controls to the new threat environment.

Correct answer: C

Explanation

The correct answer is C, as developing new IoT risk scenarios is essential for identifying potential vulnerabilities before implementing any security measures. Engaging external security reviews (A) and implementing monitoring software (B) are important steps but should follow the initial assessment of risks. Introducing controls (D) is also vital, but without understanding the specific risks, it may not effectively address the unique challenges posed by IoT technologies.