nerdexam
ExamsCAS-003Questions#248
CompTIA

CAS-003 · Question #248

CAS-003 Question #248: Real Exam Question with Answer & Explanation

The correct answer is C: Require the solution owner to accept the identified risks and consequences. When a risk has been identified, evaluated, and found to be acceptable (small user base, no sensitive data), the appropriate next step is formal risk acceptance - the solution owner must acknowledge the identified risks in writing and accept responsibility for the consequences. T

Question

An infrastructure team is at the end of a procurement process and has selected a vendor. As part of the final negotiations, there are a number of outstanding issues, including: 1. Indemnity clauses have identified the maximum liability 2. The data will be hosted and managed outside of the company's geographical location The number of users accessing the system will be small, and no sensitive data will be hosted in the solution. As the security consultant on the project, which of the following should the project's security consultant recommend as the NEXT step?

Options

  • ADevelop a security exemption, as it does not meet the security policies
  • BMitigate the risk by asking the vendor to accept the in-country privacy principles
  • CRequire the solution owner to accept the identified risks and consequences
  • DReview the entire procurement process to determine the lessons learned

Explanation

When a risk has been identified, evaluated, and found to be acceptable (small user base, no sensitive data), the appropriate next step is formal risk acceptance - the solution owner must acknowledge the identified risks in writing and accept responsibility for the consequences. This is the standard risk acceptance process. Option A (exemption) is premature since the risk may be acceptable as-is. Option B (mitigate) is unnecessary given the low sensitivity of the data. Option D (lessons learned) belongs at project close, not mid-procurement. Risk acceptance requires the business owner - not the security consultant - to formally own the residual risk.

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-003 Practice