Exam CAS-004 topic 1 question 124 discussion

You applied security controls, now you need to see how much risk is left (i.e. residual risk).

When an organization identifies a risk, it may take steps to either remediate the risk (eliminate it completely) or mitigate the risk (reduce the likelihood of impact or the magnitude of impact). If a full remediation is not possible, the organization can still take steps to mitigate the risk, which may involve implementing controls or other measures to reduce the likelihood of impact. After applying these mitigations, it is important for the organization to assess the residual risk, which is the remaining risk after taking these measures into account. This allows the organization to understand the level of risk that remains and to determine if additional actions are needed to further reduce the risk.

You need to assess the mitigation that was put in place and then you will be able to recalculate the impact from there

textbook setup for residual risk Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)

Residual risk This is the risk that remains after controls have been applied. There will always be some remaining risk, but it will be reduced to a level that falls within the corporation's risk tolerance. For banks, a solution might be background checks for employees, biometric locks, and closed-circuit television (CCTV) for the vault. So in this question, the risk management team must ensure the residual risk is acceptable. see casp 004 certification guide chapter 11. The correct answer is: Assess the residual risk.

Agreed.. residual risk Risk that remains even after controls are put into place.

The organization should assess the residual risk to determine if further action is needed to mitigate or remediate the risk. This is the best next step because it helps the organization better understand the effectiveness of the mitigations that were applied and whether additional steps need to be taken. Updating the organization's threat model, moving to the next risk in the register, and recalculating the magnitude of impact are not necessary at this stage. so yes A is correct

Agreed with Alex. Assessing residual risk involves specifying a treatment percentage to define how much of the treatment reduces the inherent risk.