A risk management team indicated an elevated level of risk due to the location of a corporate datacenter in a region with an unstable political climate. The chief
information officer (CIO) accepts the recommendation to transition the workload to an alternate datacenter in a more stable region. Which of the following forms of
risk mitigation has the CIO elected to pursue?
A.
Deterrence
B.
Transference
C.
Avoidance
D.
Acceptance
E.
sharing
Isn’t it B?
0
0
It is possible to transfer some risk to a third party. An example of risk transference
(also known as risk sharing) would be an organization that purchases insurance for
a group of servers in a data center. The organization still takes on the risk of losing
data in the case of server failure, theft, and disaster, but transfers the risk of losing
the money those servers are worth in case they are lost.
Some organizations opt to avoid risk. Risk avoidance usually entails not carrying
out a proposed plan because the risk factor is too great. An example of risk avoidance:
If a high-profile organization decided not to implement a new and controversial
website based on its belief that too many attackers would attempt to exploit it.
However, the most common goal of risk management is to reduce all risk to a level
acceptable to the organization. It is impossible to eliminate all risk, but it should be
mitigated as much as possible within reason. Usually, budgeting and IT resources
dictate the level of risk reduction , and what kind of deterrents can be put in place.
For example, installing antivirus/firewall software on every client computer is common;
most companies do this. However, installing a high-end, hardware-based firewall
at every computer is not common; although this method would probably make
for a secure network, the amount of money and administration needed to implement
that solution would make it unacceptable.
This leads to risk acceptance , also known as risk retention. Most organizations are
willing to accept a certain amount of risk. Sometimes, vulnerabilities that would otherwise
be mitigated by the implementation of expensive solutions are instead dealt
with when and if they are exploited. IT budgeting and resource management are big
factors when it comes to these risk management decisions.
0
0
It is a question meant to catch us.
First for some definitions:
DEFINITION of ‘Accepting Risk’: A risk management method used in the business or investment field. Accepting risk occurs when the cost of managing a certain type of risk is accepted, because the risk involved is not adequate enough to warrant the added cost it will take to avoid that risk.
DEFINITION of ‘Avoiding Risk’: Risk avoidance is the elimination of hazards, activities and exposures that can negatively affect an organization’s assets. Whereas risk management aims to control the damages and financial consequences of threatening events, risk avoidance seeks to avoid compromising events entirely.
The way I see it is as follows:
• A risk management team found a risk
• The team communicated the risk to the chief information officer (CIO)
• The CIO “accepts” the recommendation and took immediate action
The above cannot be considered by any stretch of the imagination to be “acceptance ” of risk in-spite of the cleverly put phraseology that the CIO “accepts the recommendation”.
The sheer fact that he “accepted the recommendation” and acted on it, means that he has “avoided” the risk by “eliminating of hazards, activities and exposures that negatively affected the organization’s assets”
Thus this makes “C- Avoidance” correct
0
0