nerdexam
(ISC)2

CAP · Question #254

Which of the following statements correctly describes DIACAP residual risk?

The correct answer is A. It is the remaining risk to the information system after risk palliation has occurred.. Residual risk (A) in DIACAP (DoD Information Assurance Certification and Accreditation Process) is the risk that remains after all applicable security controls and mitigation measures (palliation) have been applied to an information system. It represents the accepted leftover exp

Security and Privacy Governance, Risk Management, and Compliance Program

Question

Which of the following statements correctly describes DIACAP residual risk?

Options

  • AIt is the remaining risk to the information system after risk palliation has occurred.
  • BIt is a process of security authorization.
  • CIt is the technical implementation of the security design.
  • DIt is used to validate the information system.

How the community answered

(54 responses)
  • A
    94% (51)
  • C
    4% (2)
  • D
    2% (1)

Explanation

Residual risk (A) in DIACAP (DoD Information Assurance Certification and Accreditation Process) is the risk that remains after all applicable security controls and mitigation measures (palliation) have been applied to an information system. It represents the accepted leftover exposure that cannot be fully eliminated. It is not a process of authorization (B), not the technical implementation of security design (C), and not a validation mechanism (D). Decision makers must formally accept residual risk before granting an Authority to Operate (ATO).

Topics

#DIACAP#Residual Risk#Risk Management

Community Discussion

No community discussion yet for this question.

Full CAP Practice