Which of the following should be the FIRST step in managing the impact of recently discovered zero-day vulnerabilities?
正解: A
The first step is to identify at-risk assets. Before an organization can assess impact, estimate damage, or evaluate likelihood, it must first determine which assets are exposed to the zero-day vulnerability. ISACA risk guidance emphasizes asset identification and security categorization as foundational steps in risk assessment.
In other words, you cannot meaningfully assess risk until you know what systems, applications, or services are affected.
Option A is correct because scoping the exposure comes first. Once at-risk assets are identified, the organization can prioritize remediation and then evaluate impact and likelihood in a focused way. ISACA's vulnerability and risk-related material supports risk-based prioritization built on asset visibility and understanding which systems are exposed.
Option B is not first because impact assessment depends on knowing which assets are vulnerable and how critical they are. Without that scope, impact analysis is incomplete.
Option C is also not first. Likelihood matters in risk analysis, but it comes after identifying the vulnerable environment and relevant exposure. ISACA's risk discussions place likelihood estimation after identifying assets, threats, and vulnerabilities.
Option D is similar to impact assessment and likewise depends on first knowing which assets are in scope.
Estimating damage without scoping exposure would be premature.
Therefore, A is the best answer because identifying the affected assets is the necessary first step in managing the impact of a newly discovered zero-day vulnerability.
References (Official ISACA):
* ISACA Journal, IT Asset Valuation, Risk Assessment and Control Implementation Model - asset identification and categorization precede likelihood and impact assessment.
* ISACA、「リスクベースのアプローチを使用して脆弱性修復の優先順位付けを行う」 - 脆弱性への曝露が理解された後のリスクベースの優先順位付けをサポートします。
* ISACA、「運用技術分野の強化:実戦で実証されたサイバーレジリエンス戦略」 - 悪用可能な弱点と露出した資産を特定することに重点を置いています。
* ISACAジャーナル、「サイバーセキュリティリスクの理解」 - 脅威/脆弱性が特定された後、可能性と影響はリスクモデルの一部となります。