An information security team has started work to mitigate findings from a recent penetration test. Which of the following presents the GREATEST risk to the organization?
A.
Some findings were reclassified to low risk after evaluation
B.
Not all findings from the penetration test report were fixed
C.
The penetration testing report did not contain any high-risk findings
D.
Risk classification of penetration test findings was not performed
The greatest risk comes from not performing risk classification on the findings. Without classification, the organization cannot prioritize remediation efforts, allocate resources effectively, or understand the business impact of the vulnerabilities.
"Risk classification helps determine the priority for mitigating vulnerabilities and enables risk-informed decisions.”
Even if some findings are unfixed or reclassified, the lack of any classification process undermines the whole risk management effort.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit