Which of the following should a risk practitioner do NEXT after learning that Internet of Things (IoT) devices installed in the production environment lack appropriate security controls for sensitive data?
Correct Answer: C
Comprehensive and Detailed Explanation (aligned to ISACA CRISC guidance) On discovering that IoT devices handling sensitive data lack proper security controls, the risk practitioner's next step is to assess the threat and associated impact. CRISC emphasizes that after identifying a weakness, the practitioner must evaluate likelihood (threat capability, exposure, existing safeguards) and impact (data confidentiality, integrity, availability, regulatory fines, operational disruption). This analysis determines how serious the situation is and how urgently it must be addressed. Only once risk level is understood should specific treatments-such as device management, hardening, segmentation, or RBAC-be designed and prioritized. Evaluating risk appetite and tolerance is necessary when deciding whether residual risk is acceptable, but it follows (not precedes) the technical risk assessment of the scenario.
Reference: CRISC Review Manual - Risk Assessment domain (threat and impact analysis for identified weaknesses).