As a security professional, you are attending the risk management meeting. A member points out a maintenance service provider for the ERP system is suffering financial problems that might hinder the service level. Which of the following should be conducted first?
A. Escalate this problem to the management and suggest sourcing a backup provider
B. Activate the information system contingency plan (ISCP)
C. Train in-house team members to support the system as a backup solution
D. Identify affected business processes and related resources

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Identify affected business processes and related resources.

Risk-aware decision matters. It’s indeed a risk that a maintenance service provider for the ERP system is suffering financial problems that might hinder the service level.

Once a risk is identified, we have to analyze its likelihood and impact. Is it risk with a low likelihood or a 10% possibility? Is it risk with high impact or 1 million of loss? What is the risk level, score, or exposure?

Is the risk serious enough for us to handle it? Can we accept the possible loss if we don’t handle it?

Options A, B, and C are decisions made too early. They can be treated as part of risk treatment.