CompTIA Security+ Question L-44

A security administrator plans on replacing a critical business application in five years. Recently, there was a security flaw discovered in the application that will cause the IT department to manually re-enable user accounts each month at a cost of $2,000. Patching the application today would cost $140,000 and take two months to implement. Which of the following should the security administrator do in regards to the application?

A. Avoid the risk to the user base allowing them to re-enable their own accounts
B. Mitigate the risk by patching the application to increase security and saving money
C. Transfer the risk replacing the application now instead of in five years
D. Accept the risk and continue to enable the accounts each month saving money

Answer: D

Explanation:
This is a risk acceptance measure that has to be implemented since the cost of patching would be too high compared to the cost to keep the system going as is. Risk acceptance is often the choice you must make when the cost of implementing any of the other four choices (i.e. risk deterrence, mitigation, transference or avoidance) exceeds the value of the harm that would occur if the risk came to fruition.

CompTIA Security+ Question I-69

Peter, a security analyst, asks each employee of an organization to sign a statement saying that they understand how their activities may be monitored. Which of the following BEST describes this statement? (Select TWO).

A. Acceptable use policy
B. Risk acceptance policy
C. Privacy policy
D. Email policy
E. Security policy

Answer: A,C

Explanation:
Privacy policies define what controls are required to implement and maintain the sanctity of data privacy in the work environment. Privacy policy is a legal document that outlines how data collected is secured. It should encompass information regarding the information the company collects, privacy choices you have based on your account, potential information sharing of your data with other parties, security measures in place, and enforcement. Acceptable use policies (AUPs) describe how the employees in an organization can use company systems and resources, both software and hardware.

CompTIA Security+ Question I-60

A network administrator has identified port 21 being open and the lack of an IDS as a potential risk to the company. Due to budget constraints, FTP is the only option that the company can is to transfer data and network equipment cannot be purchased. Which of the following is this known as?

A. Risk transference
B. Risk deterrence
C. Risk acceptance
D. Risk avoidance

Answer: C

CompTIA Security+ Question H-45

Which of the following provides the BEST explanation regarding why an organization needs to implement IT security policies?

A. To ensure that false positives are identified
B. To ensure that staff conform to the policy
C. To reduce the organizational risk
D. To require acceptable usage of IT systems

Answer: C

Explanation:
Once risks has been identified and assessed then there are five possible actions that should be taken. These are: Risk avoidance, Risk transference, Risk mitigation, Risk deterrence and Risk acceptance. Anytime you engage in steps to reduce risk, you are busy with risk mitigation and implementing IT security policy is a risk mitigation strategy.

CompTIA Security+ Question G-87

Peter, a security analyst, has been informed that the development team has plans to develop an application which does not meet the company’s password policy. Which of the following should Peter do NEXT?

A. Contact the Chief Information Officer and ask them to change the company password policy so that the application is made compliant.
B. Tell the application development manager to code the application to adhere to the company’s password policy.
C. Ask the application development manager to submit a risk acceptance memo so that the issue can be documented.
D. Inform the Chief Information Officer of non-adherence to the security policy so that the developers can be reprimanded.

Answer: B

Explanation:
Since the application is violating the security policy it should be coded differently to comply with the password policy.

CompTIA Security+ Question E-90

Identifying residual risk is MOST important to which of the following concepts?

A. Risk deterrence
B. Risk acceptance
C. Risk mitigation D. Risk avoidance

Answer: B

Explanation:
Risk acceptance is often the choice you must make when the cost of implementing any of the other four choices exceeds the value of the harm that would occur if the risk came to fruition. To truly qualify as acceptance, it cannot be a risk where the administrator or manager is unaware of its existence; it has to be an identified risk for which those involved understand the potential cost or damage and agree to accept it. Residual risk is always present and will remain a risk thus it should be accepted (risk acceptance)