Isaca Certified in Risk and Information Systems Control CRISC Question # 581 Topic 59 Discussion
CRISC Exam Topic 59 Question 581 Discussion:
Question #: 581
Topic #: 59
Which of the following is the PRIMARY consideration when determining the impact to an organization after the discovery of malware on an endpoint device?
The BEST answer is B because impact is determined by what the affected asset means to the organization. If the endpoint stores sensitive information, supports a critical business process, or has privileged access, the organizational impact is higher. The uploaded CRISC notes support this by stating that the criticality of business processes is a main outcome of business impact analysis, risk assessments identify risk with the highest business impact, and infrastructure criticality can be quantified based on dependencies.
ISACA’s risk assessment guidance states that asset criticality should be determined in terms of impact on business or system objectives, and that impact is the magnitude of harm from a risk scenario affecting confidentiality, integrity, or availability.
A and D relate to vulnerability remediation and preventive/detective control strength, not the primary impact determination. C affects response readiness, but the impact depends first on the criticality and sensitivity of the compromised endpoint and its data.
===========
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit