Which statement describes vulnerability identification and risk ranking?

• A. A process to identify vulnerabilities from internal sources with no risk ranking.
• B. A process to identify vulnerabilities using reputable outside sources, and assign a risk ranking (high, medium, or low).
• C. A process to identify vulnerabilities using outside sources but without any risk ranking system.
• D. A process to identify vulnerabilities using reputable outside sources and assign a risk ranking (high, medium, or low), ensuring that all high-risk vulnerabilities are identified, and marking critical vulnerabilities if imminent threats.

Answer: (D)

The key idea is that vulnerability identification should be based on credible external information and paired with a structured risk ranking to prioritize remediation, especially when threats are imminent. Using reputable outside sources ensures you’re seeing vulnerabilities that may not be present in internal systems alone, while assigning a risk level (high, medium, low) creates a clear, actionable prioritization. The strongest description also adds that all high-risk vulnerabilities should be identified and that critical vulnerabilities be marked when there is an imminent threat, which drives urgent remediation and better protection.

This is why the statement that combines both credible external sources and a risk ranking system, with explicit emphasis on identifying all high-risk items and marking critical ones under imminent threats, is the best choice. The other options either rely only on internal data or outside sources without risk ranking, or rely on outside sources but omit the essential prioritization and escalation aspects.