The Chief Information Officer (CIO) is reviewing the IT centric BIA and RA documentation. The documentation shows that a single 24 hours downtime in a critical business function will cost the business $2.3 million. Additionally, the business unit which depends on the critical business function has determined that there is a high probability that a threat will materialize based on historical data. The CIO’s budget does not allow for full system hardware replacement in case of a catastrophic failure, nor does it allow for the purchase of additional compensating controls. Which of the following should the CIO recommend to the finance director to minimize financial loss?
A . The company should mitigate the risk.
B . The company should transfer the risk.
C . The company should avoid the risk.
D . The company should accept the risk.
Answer: B
Explanation:
To transfer the risk is to deflect it to a third party, by taking out insurance for example.
Incorrect Answers:
A: Mitigation is not an option as the CIO’s budget does not allow for the purchase of additional compensating controls.
C: Avoiding the risk is not an option as the business unit depends on the critical business function.
D: Accepting the risk would not reduce financial loss.
References:
Gregg, Michael, and Billy Haines, CASP CompTIA Advanced Security Practitioner Study Guide, John
Wiley & Sons, Indianapolis, 2012, p. 218