The correct answer isDbecause the risk practitioner should firstidentify the business need for the unauthorized software. If employees are using unauthorized cloud software on personal devices for work-related tasks, this indicates there is likely an unmet business requirement. Before recommending controls or restrictions, the best course of action is to understand why the software is being used, what business process it supports, and what gap in approved solutions exists. This aligns with CRISC principles that risk assessment must consider business objectives and operational needs before selecting risk responses.
The other options are not the best first step:
A. Evaluate the effectiveness of controls to prevent data lossmay be necessary later, but first the practitioner must understand the business driver behind the behavior.
B. Develop a policy standard for conducting business using personal devicesmay eventually be appropriate, but not before the underlying need is identified.
C. Recommend blocking downloads of unauthorized softwareis a control response, but it may disrupt business activities if the root business need is not understood.
Exact Extracts supporting the answer:
“During the initial stages of developing a risk management program it ' s crucial that the context and purpose of the program are defined.”
“Strategic planning and business requirements should be the driving forces behind the IT plan.”
“When selecting a risk response technique the foremost consideration should be the enterprise goals and objectives.”
“To best support IT in fulfilling business requirements an internal control system or framework is essential.”
“An approach that best helps an enterprise achieve risk-based organizational objectives is to embed risk management activities into business processes.”
These extracts support that the practitioner should first understand the business context and requirements behind the unauthorized use. Only after identifying that business need can the organization choose the most appropriate policy, control, or risk response.
