A deviation from an organization-wide security policy requires which of the following?

A.
Risk Acceptance

B.
Risk Assignment

C.
Risk Reduction

D.
Risk Containment

Explanation:
A deviation from an organization-wide security policy is a ‘risk’.
Once a company knows the risk it is faced with, it must decide how to handle it. Risk can be dealt with in four
basic ways: transfer it, avoid it, reduce it, or accept it.
One approach is to accept the risk, which means the company understands the level of risk it is faced with, as
well as the potential cost of damage, and decides to just live with it and not implement the countermeasure.
Many companies will accept risk when the cost/benefit ratio indicates that the cost of the countermeasure
outweighs the potential loss value. In this question, if the deviation from an organization-wide security policy will
remain, that is an example of risk acceptance.
Incorrect Answers:
B: Risk Assignment would be to transfer the risk. An example of this would be insurance where the risk is
transferred to the insurance company. A deviation from an organization-wide security policy does not require
risk assignment.
C: Risk reduction would be to reduce the deviation from the organization-wide security policy. A deviation from
an organization-wide security policy does not require risk reduction.
D: A deviation from an organization-wide security policy does not require risk containment; it requires
acceptance of the risk posed by the deviation.

Harris, Shon, All In One CISSP Exam Guide, 6th Edition, McGraw-Hill, New York, 2013, pp. 97-98