CGRC Question #213: Real Exam Question with Answer & Explanation

The correct answer is A: Avoiding the risk.. According to NIST SP 800-39, when an organization eliminates the activity or technology that is the source of a risk, it is practicing risk avoidance. This strategy completely removes the possibility of the risk occurring.

Security and Privacy Governance, Risk Management, and Compliance Program

Question

According to NIST SP 800-39, Managing Information System Risk, when an organization responds to risk by eliminating the activity or technology that are the basis for the risk, that organization is (accepting risk, avoiding risk, transferring risk, mitigating risk)? Response:

Options

AAvoiding the risk.
BAccepting the risk.
CTransferring the risk.
DMitigating the risk.

Explanation

According to NIST SP 800-39, when an organization eliminates the activity or technology that is the source of a risk, it is practicing risk avoidance. This strategy completely removes the possibility of the risk occurring.

Common mistakes.

B. Accepting the risk means acknowledging the risk and taking no action to reduce it, often because mitigation costs outweigh potential losses.
C. Transferring the risk involves shifting the risk to another party, typically through insurance or outsourcing, rather than eliminating the activity itself.
D. Mitigating the risk involves implementing controls or taking actions to reduce the likelihood or impact of the risk, not removing the underlying activity.

Concept tested. Risk response strategies - NIST

Reference. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf

Topics

#NIST SP 800-39#Risk Management#Risk Response#Risk Avoidance

Community Discussion

No community discussion yet for this question.

Full CGRC Practice Browse All CGRC Questions