Certified in Risk and Information Systems Control (CRISC) — Question 1167

A risk practitioner has observed that risk owners have approved a high number of exceptions to the information security policy. Which of the following should be the risk practitioner’s GREATEST concern?

Answer options

• A. Vulnerabilities are not being mitigated.
• B. Security policies are being reviewed infrequently.
• C. Controls are not operating efficiently.
• D. Aggregate risk is approaching the tolerance threshold.

Correct answer: D

Explanation

The correct answer is D because approving numerous exceptions can lead to an accumulation of risks that may exceed the organization's acceptable risk level. Options A, B, and C, while concerning, do not directly address the overall risk exposure that could result from a high number of exceptions, which is the most pressing issue.