CISSP-ISSEP · Question #119
Which of the following describes a residual risk as the risk remaining after a risk mitigation has occurred?
The correct answer is D. DIACAP. DIACAP (DoD Information Assurance Certification and Accreditation Process) is the correct answer because it is the U.S. Department of Defense framework that formally defines and employs the concept of residual risk - specifically as the risk that remains after security controls a
Question
Which of the following describes a residual risk as the risk remaining after a risk mitigation has occurred?
Options
- ASSAA
- BISSO
- CDAA
- DDIACAP
How the community answered
(55 responses)- A4% (2)
- B2% (1)
- C4% (2)
- D91% (50)
Explanation
DIACAP (DoD Information Assurance Certification and Accreditation Process) is the correct answer because it is the U.S. Department of Defense framework that formally defines and employs the concept of residual risk - specifically as the risk that remains after security controls and mitigations have been applied to a system, which the DAA then accepts on behalf of the organization.
Why the distractors are wrong:
- A (SSAA - System Security Authorization Agreement): This is a document associated with DITSCAP (DIACAP's predecessor), not a framework or definition of residual risk.
- B (ISSO - Information System Security Officer): This is a security role/position responsible for day-to-day security, not a framework or concept that defines residual risk.
- C (DAA - Designated Approving Authority): This is a role within DIACAP who formally accepts residual risk - but the DAA is the actor, not the framework that defines the term.
Memory tip: Think of the acronym hierarchy - DIACAP is the process that contains all the other pieces. The ISSO manages security, the DAA accepts the leftover risk, and the SSAA documents it - but DIACAP is the overarching framework that defines what residual risk means and how it's handled.
Topics
Community Discussion
No community discussion yet for this question.