CompTIA CASP+ (CAS-004) — Question 220

An organization is assessing the security posture of a new SaaS CRM system that handles sensitive PII and identity information, such as passport numbers. The SaaS CRM system does not meet the organization's current security standards. Post remediation work, the assessment recorded the following:

1. There will be a $20.000 per day revenue loss for each day the system is delayed going into production.
2. The inherent risk was high.
3. The residual risk is now low.
4. The solution rollout to the contact center will be a staged deployment.

Which of the following risk-handling techniques will BEST meet the organization’s requirements post remediation?

Answer options

• A. Apply for a security exemption, as the risk is too high to accept.
• B. Transfer the risk to the SaaS CRM vendor, as the organization is using a cloud service.
• C. Accept the risk, as compensating controls have been implemented to manage the risk.
• D. Avoid the risk by accepting the shared responsibility model with the SaaS CRM provider.

Correct answer: C

Explanation

The correct answer is C because the organization has implemented compensating controls that effectively manage the residual risk, which is now low. Option A is incorrect as the risk is manageable, and seeking an exemption is unnecessary. Option B does not apply since transferring risk is not required when adequate controls are in place. Option D is misleading, as accepting the shared responsibility model does not eliminate the risk but rather defines the responsibility split.