During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:
Selected Answer: C
mitigating controls are meant to reduce the chances of a threat happening while Compensating controls are put into place when specific requirements for compliance can't be met with existing controls.
C. compensating controls are in place
Compensating controls refer to measures put in place to provide an equivalent level of control when primary controls are deemed ineffective or can't be implemented. If these compensating controls are present, the overall control environment may still be considered effective despite the shortcomings of certain controls.
While accepting residual risk, having a control mitigation plan, or having effective risk management might be part of a larger risk management strategy, none of them inherently ensure an effective control environment when existing controls are found to be inadequate. Instead, they represent different aspects or steps within the risk management process.
C is the best answer. A compensating control mitigates further damages if the preventive controls are not feasible.
A. a control mitigation plan is in place
B. residual risk is accepted
C. compensating controls are in place
D. risk management is effective
Remember A is Control mitigation plan and not Risk mitigation plan is in place. And that might help in a situation where the existing controls are ineffective.
Pls read the question again, it says "have been found to be ineffective", so could have been configured/implemented weakly hence mitigation of the control would make it effective again. For example a behavior monitoring system which is not set to alert properly now the mitigation is to set up/configure to throw right set of alerts
Since the question contains "credit cards" and "industry standards" then your reference is PCI-DSS. In this scenario your QSA wants to see compensating controls. Which supports C as the correct answer. Besides, how can the overall control environment still be "effective" if only a "plan" is in place?
I think the answer should be B - as if the residual risk is not accepted then they have to address that first.
upvoted 1 times
...
This section is not available anymore. Please use the main Exam Page.CRISC Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
NeilKK
Highly Voted 4 years agoBertolini
Most Recent 10 months agoBertolini
10 months ago01010100
11 months, 4 weeks agoJulianleehk
1 year, 2 months agojohn_boogieman
1 year, 5 months agoBoubou480
1 year, 6 months agoBoubou480
1 year, 6 months agoPuma_
1 year, 10 months agohuze
1 year, 10 months agoCeecil1959
2 years, 4 months agoRaj1510
2 years, 6 months agoSandie_P
2 years, 8 months agoRamkchan
3 years agothedood
3 years, 10 months agobrekatliz
3 years, 10 months agoParth9
3 years, 10 months agoRooks
3 years, 11 months ago