Certified in Risk and Information Systems Control (CRISC) — Question 1388
An organization has outsourced its backup and recovery procedures to a cloud service provider. The provider's controls are inadequate for the organization's level of risk tolerance. As a result, the organization has internally implemented additional backup and recovery controls. Which risk response has been adopted?
Answer options
- A. Acceptance
- B. Transfer
- C. Avoidance
- D. Mitigation
Correct answer: D
Explanation
The organization has opted for mitigation by implementing additional controls to reduce the risk posed by the cloud service provider's inadequate measures. Acceptance would mean taking no action, transfer would involve shifting the risk to another party, and avoidance would mean eliminating the risk entirely, which is not the case here.