CompTIA
CAS-002 · Question #353
CAS-002 Question #353: Real Exam Question with Answer & Explanation
The correct answer is C: Mitigate. Implementing mandatory training reduces the likelihood or impact of employees misusing cloud storage, which is a risk mitigation strategy rather than elimination, transfer, or acceptance.
Question
The Chief Information Security Officer (CISO) at a company knows that many users store business documents on public cloud-based storage; and realizes this is a risk to the company. In response, the CISO implements a mandatory training course in which all employees are instructed on the proper use of cloud-based storage. Which of the following risk strategies did the CISO implement?
Options
- AAvoid
- BAccept
- CMitigate
- DTransfer
Explanation
Implementing mandatory training reduces the likelihood or impact of employees misusing cloud storage, which is a risk mitigation strategy rather than elimination, transfer, or acceptance.
Common mistakes.
- A. Risk avoidance would require prohibiting cloud-based storage entirely, eliminating the activity that creates the risk, which the CISO did not do.
- B. Risk acceptance means acknowledging the risk and taking no action to reduce it; implementing training is an active control, not passive acceptance.
- D. Risk transfer shifts the financial or operational burden of a risk to a third party, such as through cyber insurance or a contract clause, which training does not accomplish.
Concept tested. Risk management strategy - mitigation via administrative controls
Reference. https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
Community Discussion
No community discussion yet for this question.