CAS-002 · Question #219
CAS-002 Question #219: Real Exam Question with Answer & Explanation
The correct answer is D: Provide a business justification for a risk exception. When systems cannot comply with a security policy, the correct formal process is to submit a risk exception with documented business justification. This acknowledges the gap, documents the risk, provides reasoning (legacy system constraints), and receives documented organizationa
Question
Options
- AEstablish a risk matrix
- BInherit the risk for six months
- CProvide a business justification to avoid the risk
- DProvide a business justification for a risk exception
Explanation
When systems cannot comply with a security policy, the correct formal process is to submit a risk exception with documented business justification. This acknowledges the gap, documents the risk, provides reasoning (legacy system constraints), and receives documented organizational acceptance. A risk exception applies to all three systems-the one being upgraded in six months and the two with no upgrade path. Option A (risk matrix) is a tool used within risk analysis, not a process to follow. Option B uses incorrect terminology-'inheriting' risk applies to risk transfer inheritance in frameworks, not to accepting non-compliance; it also does not address the permanently non-compliant systems. Option C (avoid the risk) means eliminating the risk source entirely (e.g., decommissioning the systems), which is not happening here. Only a formal risk exception with justification properly documents accepted non-compliance.
Community Discussion
No community discussion yet for this question.