Certified in Risk and Information Systems Control (CRISC) — Question 500
An organization has identified that terminated employee accounts are not disabled or deleted within the time required by corporate policy. Unsure of the reason, the organization has decided to monitor the situation for three months to obtain more information. As a result of this decision, the risk has been:
Answer options
- A. accepted.
- B. transferred.
- C. avoided.
- D. mitigated.
Correct answer: A
Explanation
The organization has decided to monitor the situation rather than take immediate action, which means they have accepted the risk associated with not disabling or deleting the accounts on time. The other options do not apply because the risk is neither transferred to another party, avoided through preventive measures, nor mitigated by reducing its impact.