Deviation from Organization-wide Security Policy: Answering SSCP Exam Question

A deviation from an organization-wide security policy requires which of the following?

Prev Question Next Question

Question

A deviation from an organization-wide security policy requires which of the following?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

A.

A deviation from an organization-wide security policy requires you to manage the risk.

If you deviate from the security policy then you are required to accept the risks that might occur.

In some cases, it may be prudent for an organization to simply accept the risk that is presented in certain scenarios.

Risk acceptance is the practice of accepting certain risk(s), typically based on a business decision that may also weigh the cost versus the benefit of dealing with the risk in another way.

The OIG defines Risk Management as:This term characterizes the overall process.

The first phase of risk assessmentincludes identifying risks, risk-reducing measures, and the budgetary impact of implementing decisions related to the acceptance, avoidance, or transfer of risk.

The second phase of risk management includes the process of assigning priority to, budgeting, implementing, and maintaining appropriate risk-reducing measures.

Risk management is a continuous process of ever-increasing complexity.

It is how we evaluate the impact of exposures and respond to them.

Risk management minimizes loss to information assets due to undesirable events through identification, measurement, and control.It encompasses the overall security review, risk analysis, selection and evaluation of safeguards, costbenefit analysis, management decision, and safeguard identification and implementation, along with ongoing effectiveness review.

Risk management provides a mechanism to the organization to ensure that executive management knows current risks, and informed decisions can be made to use one of the risk management principles: risk avoidance, risk transfer, risk mitigation, or risk acceptance.

The 4 ways of dealing with risks are:Avoidance, Transfer, Mitigation, Acceptance The following answers are incorrect: Risk assignment.

Is incorrect because it is a distractor, assignment is not one of the ways to manage risk.

Risk reduction.

Is incorrect because there was a deviation of the security policy.

You could have some additional exposure by the fact that you deviated from the policy.

Risk containment.

Is incorrect because it is a distractor, containment is not one of the ways to manage risk.

Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21)

Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 8882-8886)

Auerbach Publications.

Kindle Edition.

and Hernandez CISSP, Steven (2012-12-21)

Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 10206-10208)

Auerbach Publications.

Kindle Edition.

When an organization has a security policy in place, it is expected that all employees, contractors, and third-party vendors abide by it. However, there may be situations where a deviation from the security policy is necessary to achieve a specific goal. In such cases, there are various options available for the organization to consider.

The correct answer to the question is A. Risk Acceptance.

Risk Acceptance is a risk management strategy that involves acknowledging the potential impact of a risk and accepting it as part of the organization's overall risk posture. This means that the organization is aware of the risks associated with deviating from the security policy but has decided to accept those risks.

Risk Assignment is a risk management strategy that involves transferring the risk to another party, such as an insurance company or a third-party vendor. This strategy is not applicable in this scenario as it does not address the deviation from the security policy.

Risk Reduction is a risk management strategy that involves implementing controls or measures to mitigate the risk associated with a particular activity. This strategy may be appropriate in some cases where a deviation from the security policy is necessary, but it does not address the deviation itself.

Risk Containment is a risk management strategy that involves isolating a risk so that it does not impact the rest of the organization. This strategy may be appropriate in some cases, but it does not address the deviation from the security policy.

In conclusion, when a deviation from an organization-wide security policy is necessary, the appropriate risk management strategy is Risk Acceptance. This involves acknowledging the potential impact of the risk and accepting it as part of the organization's overall risk posture.