CRISC Certified in Risk and Information Systems Control – Question274 - CRISC Certified in Risk and Information Systems Control

You are the Risk Official in Bluewell Inc. You have detected much vulnerability during risk assessment process. What you should do next?

A. Prioritize vulnerabilities for remediation solely based on impact.
B. Handle vulnerabilities as a risk, even though there is no threat.
C. Analyze the effectiveness of control on the vulnerabilities' basis.
D. Evaluate vulnerabilities for threat, impact, and cost of mitigation.

Correct Answer: D

Explanation:

Explanation: Vulnerabilities detected during assessment should be first evaluated for threat, impact and cost of mitigation. It should be evaluated and prioritized on the basis whether they impose credible threat or not.
Incorrect Answers: A, C: These are the further steps that are taken after evaluating vulnerabilities. So, these are not immediate action after detecting vulnerabilities.
B: If detected vulnerabilities impose no/negligible threat on an enterprise then it is not cost effective to address it as risk.