nerdexam
ExamsCAS-001Questions#218
CompTIA

CAS-001 · Question #218

CAS-001 Question #218: Real Exam Question with Answer & Explanation

The correct answer is A: The resulting impact of even one attack being realized might cripple the company financially.. Risk is calculated as the product of Likelihood × Impact. Even when the likelihood of exploitation is low, if the potential impact is catastrophic - such as a breach of pharmaceutical data leading to regulatory penalties, loss of manufacturing capability, patient harm liability,

Question

A newly-appointed risk management director for the IT department at Company XYZ, a major pharmaceutical manufacturer, needs to conduct a risk analysis regarding a new system which the developers plan to bring on-line in three weeks. The director begins by reviewing the thorough and well-written report from the independent contractor who performed a security assessment of the system. The report details what seems to be a manageable volume of infrequently exploited security vulnerabilities. The likelihood of a malicious attacker exploiting one of the vulnerabilities is low; however, the director still has some reservations about approving the system because of which of the following?

Options

  • AThe resulting impact of even one attack being realized might cripple the company financially.
  • BGovernment health care regulations for the pharmaceutical industry prevent the director from
  • CThe director is new and is being rushed to approve a project before an adequate assessment
  • DThe director should be uncomfortable accepting any security vulnerabilities and should find time

Explanation

Risk is calculated as the product of Likelihood × Impact. Even when the likelihood of exploitation is low, if the potential impact is catastrophic - such as a breach of pharmaceutical data leading to regulatory penalties, loss of manufacturing capability, patient harm liability, or financial ruin - the overall risk level can still be unacceptable. The director is correctly applying risk thinking: a low-probability, high-consequence event at a pharmaceutical company can be existentially damaging. Options B, C, and D attribute the hesitation to external regulations, personal inexperience, or perfectionism, none of which reflect sound risk management reasoning.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-001 Practice