Nov 4 • 🙋♂️ CISSP
CISSP Practice Question – Security & Risk Management (Risk Governance and Decision-Making)
A healthcare organization conducts an enterprise risk assessment and identifies that a legacy clinical system introduces a significant risk of unauthorized disclosure of patient data. The system cannot be patched or replaced for at least 18 months due to vendor dependency. Mitigating controls reduce the likelihood from “High” to “Medium,” but the residual risk still exceeds the organization’s defined risk appetite.
The CISO recommends presenting the issue to the executive risk committee for a decision. However, the Chief Operating Officer (COO) insists that the CISO should “handle it within IT” since technical controls have already been applied.
From a CISSP management perspective, what is the BEST next step?
A. Formally document the residual risk and escalate it to executive management for risk acceptance or further action.
B. Implement additional technical controls to further reduce the likelihood to “Low.”
C. Procure cyber insurance to transfer the remaining risk to a third party.
D. Defer escalation until an incident occurs or new vulnerabilities emerge.
3
12 comments
CISSP Practice Question – Security & Risk Management (Risk Governance and Decision-Making)
skool.com/cybersecurity-study-group
Share resources, get advice, and connect with peers studying cybersecurity. Join our CISSP study group and connect with fellow professionals today!
Leaderboard (30-day)
1
+41
2
+30
3
+29
4
+26
5
+24
Powered by