An organization has experienced several incidents of extended network outages that have exceeded tolerance.
Which of the following should be the risk practitioner's FIRST step to address this situation?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
When an organization experiences several incidents of extended network outages that exceed its tolerance, the risk practitioner's first step should be to recommend a root cause analysis of the incidents (Option A). This will enable the organization to understand the underlying causes of the outages and develop appropriate mitigation measures.
Option B suggests updating the risk tolerance level to acceptable thresholds, which is not the first step in addressing the situation. Before considering adjusting the risk tolerance level, the root cause of the outages must be identified and appropriate measures taken to address them.
Option C, recommending additional controls to address the risk, is also not the first step as it assumes that the cause of the outages is already understood. Without conducting a root cause analysis, any additional controls put in place may only address the symptoms rather than the underlying cause of the outages.
Option D, updating the incident-related risk trend in the risk register, is also not the first step. Updating the risk register may be necessary after conducting a root cause analysis and implementing mitigation measures to track the effectiveness of the measures taken.
In summary, the first step in addressing the situation of extended network outages that exceed tolerance is to recommend a root cause analysis of the incidents (Option A).