CS0-003 · Question #355
CS0-003 Question #355: Real Exam Question with Answer & Explanation
The correct answer is B: Mitigate. The CISO is looking to reduce the risk associated with a vulnerable web application functionality by disabling it, which is an action to mitigate the risk without completely eliminating the application.
Question
Chief Information Security Officer (CISO) wants to disable a functionality on a business-critical web application that is vulnerable to RCE in order to maintain the minimum risk level with minimal increased cost. Which of the following risk treatments best describes what the CISO is looking for?
Options
- ATransfer
- BMitigate
- CAccept
- DAvoid
Explanation
The CISO is looking to reduce the risk associated with a vulnerable web application functionality by disabling it, which is an action to mitigate the risk without completely eliminating the application.
Common mistakes.
- A. Risk transfer involves shifting the risk to another party, typically through insurance or outsourcing, which is not what disabling a functionality achieves.
- C. Risk acceptance means acknowledging the risk and deciding not to take any action, which contradicts the CISO's goal of maintaining minimum risk by taking action.
- D. Risk avoidance involves eliminating the risk entirely, often by discontinuing the activity or not implementing the system, which is more drastic than merely disabling a functionality on a business-critical application.
Concept tested. Risk treatment strategies (mitigation)
Reference. https://learn.microsoft.com/en-us/compliance/regulatory/risk-management-process-overview
Topics
Community Discussion
No community discussion yet for this question.