nerdexam
EC-Council

312-50V10 · Question #705

A medium-sized healthcare IT business decides to implement a risk management strategy. Which of the following is NOT one of the five basic responses to risk?

The correct answer is B. Delegate. The five standard risk responses recognized in frameworks like NIST and ISO 31000 are Accept, Avoid, Transfer, Mitigate, and Defer - Delegate is not among them.

Information Security and Ethical Hacking Fundamentals

Question

A medium-sized healthcare IT business decides to implement a risk management strategy. Which of the following is NOT one of the five basic responses to risk?

Options

  • AAccept
  • BDelegate
  • CMitigate
  • DAvoid

How the community answered

(34 responses)
  • A
    9% (3)
  • B
    88% (30)
  • D
    3% (1)

Why each option

The five standard risk responses recognized in frameworks like NIST and ISO 31000 are Accept, Avoid, Transfer, Mitigate, and Defer - Delegate is not among them.

AAccept

Accept is a valid risk response where an organization consciously decides to live with a risk, typically when mitigation costs outweigh potential losses.

BDelegateCorrect

Delegate is not a defined risk response in established risk management frameworks such as NIST SP 800-30 or ISO 31000. The five recognized responses are Accept (tolerate the risk), Avoid (eliminate the risk-causing activity), Transfer (shift risk to a third party via insurance or contracts), Mitigate (reduce likelihood or impact), and sometimes Defer (postpone action). Delegation describes an organizational management task, not a risk treatment strategy.

CMitigate

Mitigate is a valid risk response that involves implementing controls to reduce the probability of a risk occurring or to minimize its impact if it does.

DAvoid

Avoid is a valid risk response where an organization eliminates the source of the risk entirely by discontinuing the activity or process that introduces it.

Concept tested: Five standard risk management response strategies

Source: https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final

Topics

#risk management#risk response#security policies#compliance

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice