The correct answer isAbecause when malware is discovered on an endpoint device, the first consideration in determiningimpactis thecriticality and sensitivity of the affected asset. The business importance of the device, the data it stores or accesses, and the role it plays in operations determine how serious the incident is to the organization.
The other options are less important for determining impact:
B. Currency of anti-malware signaturesrelates to control effectiveness, not the primary measure of business impact.
C. Availability of patches and security updatesis relevant to remediation, but not the main factor in assessing impact.
D. Currency of the incident response planaffects preparedness, not the actual impact of the malware event.
Exact Extracts supporting the answer:
“IT risk is measured by its impact on business operations.”
“The primary reason risk professionals conduct risk assessments is to identify risk with the highest business impact.”
“The main outcome of a business impact analysis (BIA) is the criticality of business processes.”
“To determine the level of protection required for securing personally identifiable information a risk practitioner should PRIMARILY consider the sensitivity property of the information.”
“The criticality of an IT infrastructure element can be quantified based on dependencies.”
These extracts show that impact assessment is driven primarily by business criticality and information sensitivity. Therefore,asset criticality and sensitivityis the primary consideration.
===========
