In the risk management process, which of the following best describes the concept of 'risk
acceptance'?
Correct Answer: C
Explanation:
Risk acceptance is a component of the risk management process that involves recognizing when it may
be more practical or cost-effective to accept a certain level of risk rather than attempting to eliminate it
entirely (see ISC2 Study Guide, Module 2, under Risk Treatment). This decision is an informed choice
typically based on the organization's risk appetite and on carefully analyzing the potential costs and
benefits of implementing additional controls or countermeasures. By contrast, implementing controls and
countermeasures to eliminate all risks, ignoring potential risks and their impacts, and avoiding the need
for a risk management process are all incorrect options, as these approaches do not accurately describe
the concept of informed choice underlying risk acceptance.
Question 2
Exhibit. IPSec works in which layer of OSI Model
Correct Answer: C
Explanation:
IPSec (Internet Protocol Security) operates atLayer 3 – the Network Layerof the OSI model. IPSec is designed to secure IP communications by authenticating and encrypting each IP packet in a data stream. Because it works directly with IP packets, it naturally fits at the network layer.
Operating at Layer 3 gives IPSec a major advantage: it can protectall network traffic, regardless of the application or transport protocol being used. This means IPSec can secure TCP, UDP, and ICMP traffic transparently without requiring changes to applications. IPSec is commonly used to implementVirtual Private Networks (VPNs), including site-to-site and remote-access VPNs. IPSec uses protocols such asAuthentication Header (AH)andEncapsulating Security Payload (ESP)to provide confidentiality, integrity, authentication, and anti-replay protection. Key management is typically handled by IKE (Internet Key Exchange). Although IPSec may appear in some diagrams as interacting with other layers, standards bodies such as NIST and IETF clearly define IPSec as aLayer 3 (Network Layer)security protocol.
Question 3
What is the purpose of the post-incident phase?
Correct Answer: C
Explanation:
The post-incident phase focuses on documenting lessons learned, improving controls, and preventing recurrence.
Demo Practice Mode
You are viewing only the questions marked as Demo.