Chief Information Security Officer (CISO) wants to disable a functionality on a business-critical web application that is vulnerable to RCE in order to maintain the minimum risk level with minimal increased cost. Which of the following risk treatments best describes what the CISO is looking for?
Mitigating risk involves taking steps to reduce the risk to an acceptable level. In this case, the CISO wants to disable a functionality that is vulnerable to Remote Code Execution (RCE) to reduce the risk associated with that vulnerability. This approach aims to minimize the risk without entirely eliminating the use of the web application. It aligns with the intent to manage and reduce risk while maintaining operational functionality with minimal increased cost.
Mitigate involves taking steps to reduce the risk to an acceptable level. In this case, the CISO wants to disable a functionality that is vulnerable to Remote Code Execution (RCE) to reduce the risk associated with that vulnerability. Avoiding risk involves completely eliminating the risk by discontinuing the activity that introduces the risk. While disabling the functionality might seem like avoiding, in the context of risk management, avoiding would typically mean ceasing the use of the entire application or process, which is not the intent here.
Key word on the question "maintain minimum risk level". Doesn't say avoid completely.
disabling just one function meaning ciso wants to avoid the risk
Risk avoidance involves taking actions to eliminate the risk entirely, which in this case means disabling the vulnerable functionality to prevent the risk of Remote Code Execution (RCE). This approach ensures that the risk is not present, aligning with the CISO’s objective of maintaining minimal risk.
Another terrible question. B & D could be correct