A penetration test reveals several vulnerabilities in a web-facing application. Which of the following should be the FIRST step in selecting a risk response?
A.
Assess the level of risk associated with the vulnerabilities.
B.
Communicate the vulnerabilities to the risk owner.
C.
Correct the vulnerabilities to mitigate potential risk exposure.
D.
Develop a risk response action plan with key stakeholders.
B. Communicate the vulnerabilities to the risk owner.
Penetration tests should have severity levels, and they should provide prioritized recommendation according to the severity. So A is not relevant.
torn between A and B, The risk response is accept, reject transfer etc. but before that risk needs to be identified. the pen test has revealed the vuln someone needs to convert it to risk and then give it to risk owner..
No where isaca manual says risk owner owns vuln too. so leaning towards A.
Going with B. In the real world you identify the vuln, rank it, then decide how to mitigate it, but somehow think ISACA's thought process is different...
This section is not available anymore. Please use the main Exam Page.CRISC Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
K5000ism
1 year agoChachacha12
1 year, 2 months agomynk29
1 year, 8 months agoCbtL
1 year, 8 months agojohn_boogieman
1 year, 10 months ago